47e0da4442134986f0b78bc8a0161026b1bd77e748dbf2757eb711886b9f9c44

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hl.exe
Size

29.6MB
MD5

d5738b50bc6cf709f96cd9f9e7f4e50c
SHA1

8b588497b7b67807fadf1834c16e9f554f7fbf4b
SHA256

47e0da4442134986f0b78bc8a0161026b1bd77e748dbf2757eb711886b9f9c44
SHA512

fdce18b94bd8ee5f63d9c87ceb6a79f9424eb3fd61c55add3414c065e7d91f9f94ba2ad4ce04fcd8d860887ce8617598413e171b34ad205b6068f16513197e24
SSDEEP

786432:nmWxUTU+QOpwZS1nkZPLtghhtdK3hu0c:FIzGZakpLtghhtqpc

Score

10^/10

bootkit evasion persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
376	XmpLiveUD.exe

Loads dropped DLL 6 IoCs

pid	Process
376	XmpLiveUD.exe
376	XmpLiveUD.exe
376	XmpLiveUD.exe
376	XmpLiveUD.exe
376	XmpLiveUD.exe
376	XmpLiveUD.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XmpLiveUD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2776	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2368	hl.exe
Token: 33	1576	mmc.exe
Token: SeIncBasePriorityPrivilege	1576	mmc.exe
Token: 33	1576	mmc.exe
Token: SeIncBasePriorityPrivilege	1576	mmc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2368	hl.exe
2368	hl.exe
1576	mmc.exe
1576	mmc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2076	2368	hl.exe	30
PID 2368 wrote to memory of 2076	2368	hl.exe	30
PID 2368 wrote to memory of 2076	2368	hl.exe	30
PID 2076 wrote to memory of 2776	2076	cmd.exe	32
PID 2076 wrote to memory of 2776	2076	cmd.exe	32
PID 2076 wrote to memory of 2776	2076	cmd.exe	32
PID 2368 wrote to memory of 2812	2368	hl.exe	33
PID 2368 wrote to memory of 2812	2368	hl.exe	33
PID 2368 wrote to memory of 2812	2368	hl.exe	33
PID 2368 wrote to memory of 2576	2368	hl.exe	35
PID 2368 wrote to memory of 2576	2368	hl.exe	35
PID 2368 wrote to memory of 2576	2368	hl.exe	35
PID 2576 wrote to memory of 708	2576	cmd.exe	37
PID 2576 wrote to memory of 708	2576	cmd.exe	37
PID 2576 wrote to memory of 708	2576	cmd.exe	37
PID 2576 wrote to memory of 2652	2576	cmd.exe	38
PID 2576 wrote to memory of 2652	2576	cmd.exe	38
PID 2576 wrote to memory of 2652	2576	cmd.exe	38
PID 2576 wrote to memory of 2540	2576	cmd.exe	39
PID 2576 wrote to memory of 2540	2576	cmd.exe	39
PID 2576 wrote to memory of 2540	2576	cmd.exe	39
PID 2368 wrote to memory of 3060	2368	hl.exe	40
PID 2368 wrote to memory of 3060	2368	hl.exe	40
PID 2368 wrote to memory of 3060	2368	hl.exe	40
PID 1576 wrote to memory of 376	1576	mmc.exe	43
PID 1576 wrote to memory of 376	1576	mmc.exe	43
PID 1576 wrote to memory of 376	1576	mmc.exe	43
PID 1576 wrote to memory of 376	1576	mmc.exe	43

C:\Users\Admin\AppData\Local\Temp\hl.exe
"C:\Users\Admin\AppData\Local\Temp\hl.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2776
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\5JC7u.xml
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\IZY4v.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:708
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2652
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\9385P\QlZ7n~z\p+C:\Users\Public\Pictures\9385P\QlZ7n~z\w C:\Users\Public\Pictures\9385P\QlZ7n~z\xlstat4.dll
  2⤵
  PID:3060

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Public\Pictures\9385P\QlZ7n~z\XmpLiveUD.exe
  "C:\Users\Public\Pictures\9385P\QlZ7n~z\XmpLiveUD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\IZY4v.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Pictures\9385P\QlZ7n~z\NH.txt

Filesize
179KB

MD5
feb10bda16c8e89f2d168de8b6d844f1

SHA1
1095b60598383b59a5a47bb136d0f76ea3716910

SHA256
c08145dbc62e0b4a53ad4616f118ffddcfdf616510827c38d32d48f2d449c5ae

SHA512
e8dec65e4cba86a2d91bd858e02e292e36b63ccdc519d56c05bf015d7537f35840386aafa7c1a2b005646d90931ec1b7b922442f5a370f3363cd8b75d892b2fb

Download Submit
C:\Users\Public\Pictures\9385P\QlZ7n~z\XLLiveUpdateAgent.dll

Filesize
935KB

MD5
95510f67cf120d180362fd2d3ec23d9c

SHA1
4787cfb2398fd3285be85e52be633f454bb48ff6

SHA256
9f64fdbf96b10a185c51bf9e7d6199e44a5ef3255de40a0a447cf556ac7675f0

SHA512
4caf48792686a89e8397813a6b0246b274986e7fdf245d0b1aa3e36b7e9de0be7b618cd483871f76769a569a7b896f5b9f461f62f4d26cedbf257cc74c69f562

Download Submit
C:\Users\Public\Pictures\9385P\QlZ7n~z\XmpLiveUD.exe

Filesize
4.8MB

MD5
5fccddc84705ef583e1e105a706a4cea

SHA1
fd62980ab42f9062cb2cae7fb432169a660a9391

SHA256
b09997d6da86ae913039327a1ca291a405d741722be660046db75e9b76b3176c

SHA512
b9a690bf3c01e4e111c1139fac883265d8b97c96d9d6ae2bb4e9c303a622ab2c67b6acd058534f7afb14d9d2f0aa48eefea83d73ebaa7b972ff3c75c0723c4ac

Download Submit
C:\Users\Public\Pictures\9385P\QlZ7n~z\p

Filesize
995KB

MD5
a2383bbda4e193f703c2b6d52c7fcb72

SHA1
95abbc6622e310ed7770e5bb7fb497d597f9fc0a

SHA256
e5feea5b901be47ef42fadcefa3021759efa26d82a0a9018d7f676d19fb80584

SHA512
0007d1e38b8a474b105fdc584c8fc6557db61f5bea351fa179df79e487d16692ff819ef380eae390bc29c98341788a3d96bfb9d118114358c6ba2dd1ae598421

Download Submit
C:\Users\Public\Pictures\9385P\QlZ7n~z\w

Filesize
995KB

MD5
9e34ac72723b9acd7741d6d2800c04d0

SHA1
fff230abdf0d6c139613e8824841dcfd85a1bafc

SHA256
59f0d1f5254aa994ee478d4aacb8ff72f57d11ba47838f3dcc9dfd8406d5ad8e

SHA512
5306ad4f317a55d3293002d8f289030f2c6ac0608c9f73e14d3a0e81d3e5ab856f6e5076d863c6a0c666a0414ba0fa65d88174b393ad6ca21e65f7a5a8eeb050

Download Submit
C:\Users\Public\Pictures\9385P\QlZ7n~z\xlstat4.dll

Filesize
1.9MB

MD5
07a2934c00c8c1c20e42e6e028f77bca

SHA1
b6fbe06fd7c0704511344a9dad5edc72bbc996ef

SHA256
44e93469c0608590e95420cc04636a7f10b49292ce1b7a24b5e68436f7b7bb80

SHA512
84d6938d3b7200c34ed296b5dfc880fe06a183fd7d2b87d30a33378c8fabd4a9cc0feda3a9eede5d26362799977709c326204bdb9ef3e53b0eea9c350f329cbd

Download Submit
\Users\Public\Pictures\9385P\QlZ7n~z\libcurl.dll

Filesize
706KB

MD5
4b5dfd7e9ac50a741b5ac6102b30cbf5

SHA1
c3ae8f11f12b2160055a28ee8cd0f14d215864dc

SHA256
8fbb6e1c42d6ea9fb1f5651d0cad370cbd36fda89035568c460193b1ae316cdc

SHA512
9099874416956b53bb7a8d63a215f0e40ae806d21bdad6fcdba002f35c5b3d8827c7d5e5c9500a356a7bdf7a3d402c3d8851dd0df69a72fed752277f32b210cc

Download Submit
\Users\Public\Pictures\9385P\QlZ7n~z\libeay32.dll

Filesize
1.4MB

MD5
ff5c63efbba91a0eec9fc645da655b4c

SHA1
d225ceff3601b57add69df7d854b2348a8980255

SHA256
e1fbb97ff3607d569d584f78ce77a9dd2cf64dca05aebdbf3e55c9711e07b3be

SHA512
96b963823d7a28e4d4ecd703aa26ad3d3e1d4086e09a4cc08ca88c30c9b8ceb42b7daf184e33b9175f87a566e78028cca3e6ab90ed6537598677f27b15eefce5

Download Submit
\Users\Public\Pictures\9385P\QlZ7n~z\libexpat.dll

Filesize
379KB

MD5
0cdb376595b90c8e40169a7332c609cc

SHA1
0e47e06237f27388437d8631d055e78a34b37e03

SHA256
31d2076066107bd04ab24ff7bbdf8271aa16dd1d04e70bd9cc492e9aa1e6c82b

SHA512
3062a64d412d69996d36caf7acf1dd040941ab9adf26841fcb103d4711ffcb8e3a8deaa9374042c882e1e4c3ad51e4d294498c398d2b6adf0f1c6669d6f1d94b

Download Submit
\Users\Public\Pictures\9385P\QlZ7n~z\ssleay32.dll

Filesize
371KB

MD5
7456818a22dad2c0965580d8bbf4cabd

SHA1
548714607df2ec3b7c8a22cfba3a1776e6e80861

SHA256
f3a288c5455b074fe9c9d5a160adeb49e84bbe1832b5fcbe8f26093215192f65

SHA512
13f6589bd9c0c60a3df63325c57e94129761adc558d1a65eb4c6e138e6155dd9dbe501d45edde282219dc357593458f5f84a29188d123dcb7770e7479f6a7e68

Download Submit
memory/376-35-0x0000000000880000-0x00000000008E9000-memory.dmp

Filesize
420KB

Download
memory/2368-2-0x0000000180000000-0x0000000180794000-memory.dmp

Filesize
7.6MB

Download
memory/2368-0-0x0000000180000000-0x0000000180794000-memory.dmp

Filesize
7.6MB

Download
memory/2368-1-0x0000000180000000-0x0000000180794000-memory.dmp

Filesize
7.6MB

Download
memory/2368-36-0x0000000180000000-0x0000000180794000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads