Overview

overview

10

Static

static

3

2024-08-08...uk.exe

windows7-x64

10

2024-08-08...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08-08-2024 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe

  • Size

    14.6MB

  • MD5

    3781ce7aa4b0516d0d34e319426f1171

  • SHA1

    bf54422d2de53c4fe1397382ce188ac412e6c668

  • SHA256

    e8d786577061f8b771e8dc4327d8a456e5e0aca5de42453672d20842a8413dd9

  • SHA512

    af30bfcc8f31af3433ab847b86f566a60b6349f74c55a39c31a3846e53e08c44ae136090f4e1a0d0ec42680890ab4fdc30b8601b2dfd0e44f9bd09ac58049ec7

  • SSDEEP

    196608:XyfE81fmwzIbkM3MYpLn90O5DfgIs5mFwFILAifU3WAsaVVKdmls7t:+z1KMYpr9FDfgIw9icmAse

Score
10/10
bootkitdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:1056
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\ppi8f.xml
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      PID:2508
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\4SRaG.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:2872
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:2772
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:3012
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\DvQn3\Dj4hU~c\p+C:\Users\Public\Pictures\DvQn3\Dj4hU~c\w C:\Users\Public\Pictures\DvQn3\Dj4hU~c\xlstat4.dll
      2⤵
        PID:2692
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Public\Pictures\DvQn3\Dj4hU~c\XmpLiveUD.exe
        "C:\Users\Public\Pictures\DvQn3\Dj4hU~c\XmpLiveUD.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        PID:2576

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\4SRaG.bat
      Filesize

      392B

      MD5

      30d6eb22d6aeec10347239b17b023bf4

      SHA1

      e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

      SHA256

      659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

      SHA512

      500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

      Download Submit

    • C:\Users\Public\Pictures\DvQn3\Dj4hU~c\NH.txt
      Filesize

      179KB

      MD5

      197801fc836f4e66a9c7494ce8b34d7d

      SHA1

      fd8cb85cde4c300336e022af0b255c7df51ad5ff

      SHA256

      f7fab17cffd3457cf0f9539e136b420b5f817342c5dcc82c8773137969429e60

      SHA512

      2f238bb54b37240bb3ac52fc31b6fb49374005de137a2f8890e216ee9a9a93fc7192e1c56dbe8f913a807ce7b1ea0c97e762be16947d8ddb700fd00f0710c506

      Download Submit

    • C:\Users\Public\Pictures\DvQn3\Dj4hU~c\XmpLiveUD.exe
      Filesize

      4.8MB

      MD5

      5fccddc84705ef583e1e105a706a4cea

      SHA1

      fd62980ab42f9062cb2cae7fb432169a660a9391

      SHA256

      b09997d6da86ae913039327a1ca291a405d741722be660046db75e9b76b3176c

      SHA512

      b9a690bf3c01e4e111c1139fac883265d8b97c96d9d6ae2bb4e9c303a622ab2c67b6acd058534f7afb14d9d2f0aa48eefea83d73ebaa7b972ff3c75c0723c4ac

      Download Submit

    • C:\Users\Public\Pictures\DvQn3\Dj4hU~c\p
      Filesize

      995KB

      MD5

      5d053b14abbf373becdacfd37255d66f

      SHA1

      1cdacdcdec218ff012833c6d2112b442a93faa3e

      SHA256

      d3b68aeaa2790263fa3dcac20180301f9799b0cdcd128ae7605fe0be04fcebd0

      SHA512

      21097a855e11a75726c10e8f752e544f1b2653e31a62533e781ca684e6634c749bd8eaa8f604b0c5c2d10ab6cd945fb77e11ed9cc3390afd84c9bb1cf9b5af96

      Download Submit

    • C:\Users\Public\Pictures\DvQn3\Dj4hU~c\w
      Filesize

      995KB

      MD5

      fca0e9a74dc82526abd10b22e4bd606a

      SHA1

      31fdb518ca35520ab41a98d56c69f18aa8291deb

      SHA256

      ad2156d8e8bb8822681724ae7130113a37894d78734ac4abed49a59b8e705101

      SHA512

      1bfdf57b3ef863ac3481504f051a446a025983560460eb3b09d46cdfb6693625de778c39f3251c91ba195b500f999d5f1df584e6e0af053ac3c08c836a347e66

      Download Submit

    • \Users\Public\Pictures\DvQn3\Dj4hU~c\XLLiveUpdateAgent.dll
      Filesize

      935KB

      MD5

      95510f67cf120d180362fd2d3ec23d9c

      SHA1

      4787cfb2398fd3285be85e52be633f454bb48ff6

      SHA256

      9f64fdbf96b10a185c51bf9e7d6199e44a5ef3255de40a0a447cf556ac7675f0

      SHA512

      4caf48792686a89e8397813a6b0246b274986e7fdf245d0b1aa3e36b7e9de0be7b618cd483871f76769a569a7b896f5b9f461f62f4d26cedbf257cc74c69f562

      Download Submit

    • \Users\Public\Pictures\DvQn3\Dj4hU~c\libcurl.dll
      Filesize

      706KB

      MD5

      4b5dfd7e9ac50a741b5ac6102b30cbf5

      SHA1

      c3ae8f11f12b2160055a28ee8cd0f14d215864dc

      SHA256

      8fbb6e1c42d6ea9fb1f5651d0cad370cbd36fda89035568c460193b1ae316cdc

      SHA512

      9099874416956b53bb7a8d63a215f0e40ae806d21bdad6fcdba002f35c5b3d8827c7d5e5c9500a356a7bdf7a3d402c3d8851dd0df69a72fed752277f32b210cc

      Download Submit

    • \Users\Public\Pictures\DvQn3\Dj4hU~c\libeay32.dll
      Filesize

      1.4MB

      MD5

      ff5c63efbba91a0eec9fc645da655b4c

      SHA1

      d225ceff3601b57add69df7d854b2348a8980255

      SHA256

      e1fbb97ff3607d569d584f78ce77a9dd2cf64dca05aebdbf3e55c9711e07b3be

      SHA512

      96b963823d7a28e4d4ecd703aa26ad3d3e1d4086e09a4cc08ca88c30c9b8ceb42b7daf184e33b9175f87a566e78028cca3e6ab90ed6537598677f27b15eefce5

      Download Submit

    • \Users\Public\Pictures\DvQn3\Dj4hU~c\libexpat.dll
      Filesize

      379KB

      MD5

      0cdb376595b90c8e40169a7332c609cc

      SHA1

      0e47e06237f27388437d8631d055e78a34b37e03

      SHA256

      31d2076066107bd04ab24ff7bbdf8271aa16dd1d04e70bd9cc492e9aa1e6c82b

      SHA512

      3062a64d412d69996d36caf7acf1dd040941ab9adf26841fcb103d4711ffcb8e3a8deaa9374042c882e1e4c3ad51e4d294498c398d2b6adf0f1c6669d6f1d94b

      Download Submit

    • \Users\Public\Pictures\DvQn3\Dj4hU~c\ssleay32.dll
      Filesize

      371KB

      MD5

      7456818a22dad2c0965580d8bbf4cabd

      SHA1

      548714607df2ec3b7c8a22cfba3a1776e6e80861

      SHA256

      f3a288c5455b074fe9c9d5a160adeb49e84bbe1832b5fcbe8f26093215192f65

      SHA512

      13f6589bd9c0c60a3df63325c57e94129761adc558d1a65eb4c6e138e6155dd9dbe501d45edde282219dc357593458f5f84a29188d123dcb7770e7479f6a7e68

      Download Submit

    • \Users\Public\Pictures\DvQn3\Dj4hU~c\xlstat4.dll
      Filesize

      1.9MB

      MD5

      a649287732a25bdbe4eae298947a25b5

      SHA1

      08b698b504e99aa9a996d4c2f32ef3b621f582a1

      SHA256

      0582645b1d67fbc001537d570c9018a35a9fb516f8193d672bae9994f6bb9cd9

      SHA512

      e1f58950f05f8d5488f783509a54d920ed714e759fd9bb71b69c2412698b6ecfe02399770b98ea10ff62753da55daf75b527759a01270f980bfb5cd0ac85c72e

      Download Submit

    • memory/1596-2-0x0000000180000000-0x0000000180794000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/1596-1-0x0000000180000000-0x0000000180794000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/1596-0-0x0000000180000000-0x0000000180794000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/1596-36-0x0000000180000000-0x0000000180794000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/2576-35-0x00000000003C0000-0x0000000000429000-memory.dmp

      Filesize

      420KB

      Download