3a3ccd72e07241dc8037fa38626058f25767f9f7a78ee68a372632841004ee79

Analysis

max time kernel
141s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 03:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DBFManager.exe
Size

1.4MB
MD5

1c049946735089036f664e195c384bdc
SHA1

51be44344e0649281585b8f7182a2bda5cedcba4
SHA256

f58001de63539de3ccee1f17ae5960c2c3eb382f590ef264cca7885271a96aef
SHA512

1c0f27408268ed5750fa93d7a80c48af64acd4139f78880ebde839fe38ab47578475070d3956921abdc9ed4deda2af8c3ce7e8ca7575689e017791465bc324f5
SSDEEP

24576:n3TlQecqWNtXw9vBw517N8MocQqpKp68HRXYA6TmnQEPY1478eADQloZytIfN8:nfcVNt4W5H1f46oRIibQm787DQztI18

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DBFManager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\ = "RAServer 1.0 Type Library"	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\ = "Obexecar.Memec"	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\InprocServer32\ = "C:\\Windows\\SysWOW64\\AppIdPolicyEngineApi.dll"	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\ProgID	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\TypeLib\	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\ProgID\	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\0	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\0\win32\	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\VersionIndependentProgID\ = "AppIdPolicyEngineApi.AppIdPolicyHelper"	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\TypeLib	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\ProgID\ = "AppIdPolicyEngineApi.AppIdPolicyHelper.1"	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\FLAGS	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\FLAGS\ = "0"	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\InprocServer32	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\Programmable	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\TypeLib\ = "{484F66B6-50EE-657B-A8E6-932C81A54D0B}"	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\Version	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\Version\ = "1.0"	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\InprocServer32\	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\0\	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\0\win32	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\RAServer.exe"	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\Version\	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\Programmable\	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484F66B6-50EE-657B-A8E6-932C81A54D0B}\1.0\FLAGS\	DBFManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\VersionIndependentProgID	DBFManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D88A5B39-4733-456D-8CBB-35AB0C2FEA0F}\VersionIndependentProgID\	DBFManager.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2448	DBFManager.exe
2448	DBFManager.exe
2448	DBFManager.exe
2448	DBFManager.exe

C:\Users\Admin\AppData\Local\Temp\DBFManager.exe
"C:\Users\Admin\AppData\Local\Temp\DBFManager.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2448-1-0x0000000000320000-0x000000000036C000-memory.dmp

Filesize
304KB

Download
memory/2448-9-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2448-8-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2448-7-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2448-6-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2448-5-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2448-4-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2448-3-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2448-2-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2448-0-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/2448-19-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-25-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-24-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-42-0x0000000002B20000-0x0000000002B22000-memory.dmp

Filesize
8KB

Download
memory/2448-23-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-22-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-21-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-20-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-41-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2448-40-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2448-39-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2448-38-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2448-37-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2448-36-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2448-35-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2448-34-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2448-33-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2448-32-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2448-31-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2448-30-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2448-29-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2448-28-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2448-27-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2448-26-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-18-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-17-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-16-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2448-15-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2448-14-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2448-13-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2448-12-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2448-11-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2448-10-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2448-45-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2448-44-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2448-43-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/2448-47-0x0000000000320000-0x000000000036C000-memory.dmp

Filesize
304KB

Download
memory/2448-46-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/2448-48-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2448-49-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads