a38f8a7e057e205d3961095a025f5014c0da0567495f2ca5a15f26d89c481026

Resubmissions

05/07/2024, 19:50

240705-yka7bsthqp 3

05/07/2024, 19:49

05/07/2024, 19:25

05/07/2024, 19:20

05/07/2024, 19:15

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InfiniteBlue (1).exe
Size

1.8MB
MD5

70b9c08114c970f97ba983227e0f08b4
SHA1

0c3c846828734aed1d74ea47253feef6f81940ac
SHA256

a38f8a7e057e205d3961095a025f5014c0da0567495f2ca5a15f26d89c481026
SHA512

dc223e4cbfe89a8d92b2042b1c8a0403b26adc7383317cbadc56602d1e9c02a4a80450ec5aa243fdb8ef3a0882a20af48c3ebb7165ca58dfe34c62691c36f5eb
SSDEEP

49152:RqrObhdGZu/xJrtcaXxfjDSVQEWnu3+w3JJn+:oExvFXpCQG3+OXn+

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	InfiniteBlue (1).exe

Disables Task Manager via registry modification
evasion

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1432	takeown.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	InfiniteBlue (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1976	InfiniteBlue (1).exe
1976	InfiniteBlue (1).exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	InfiniteBlue (1).exe
Token: SeDebugPrivilege	1976	InfiniteBlue (1).exe
Token: SeTakeOwnershipPrivilege	1432	takeown.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1432	1976	InfiniteBlue (1).exe	31
PID 1976 wrote to memory of 1432	1976	InfiniteBlue (1).exe	31
PID 1976 wrote to memory of 1432	1976	InfiniteBlue (1).exe	31

C:\Users\Admin\AppData\Local\Temp\InfiniteBlue (1).exe
"C:\Users\Admin\AppData\Local\Temp\InfiniteBlue (1).exe"
1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\takeown.exe
  "takeown.exe" /f C:\Windows\system32\LogonUI.exe
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000000850000-0x0000000000A1A000-memory.dmp

Filesize
1.8MB

Download
memory/1976-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-3-0x000000001B5C0000-0x000000001B890000-memory.dmp

Filesize
2.8MB

Download
memory/1976-4-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-5-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1976-6-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-7-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-8-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download