2bc671285340102bb3c1b4d1249786a651ee5ca7a13ee9f6b62daf7e7bea7f3d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 00:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c4180a225d071508ac5656717a9cb30N.exe
Size

4.1MB
MD5

2c4180a225d071508ac5656717a9cb30
SHA1

d194c4ccbdaee11c4bae4f23b6214a9fe0b40815
SHA256

2bc671285340102bb3c1b4d1249786a651ee5ca7a13ee9f6b62daf7e7bea7f3d
SHA512

cbda49d38c9daa0f0a74e7ff60cb14de346d8b428ab6ce432011f957a9c4d913c6b2610b9a7e38ac7dbfe6e098b3c760fee1cb928c9d5d68e6811c1338e0b24a
SSDEEP

98304:0w2CYJJBGb5A9dGpQkiSNEVA0qss9du/akQrBB:fw0ASCcIm9du/MrB

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2c4180a225d071508ac5656717a9cb30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c4180a225d071508ac5656717a9cb30N.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	2c4180a225d071508ac5656717a9cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	2c4180a225d071508ac5656717a9cb30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "db8fc3b6f39435e8e8937aca1bde1004"	2c4180a225d071508ac5656717a9cb30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	2c4180a225d071508ac5656717a9cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	2c4180a225d071508ac5656717a9cb30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "59B586569F4A7A943F11639E1A3ECF85"	2c4180a225d071508ac5656717a9cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2c4180a225d071508ac5656717a9cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2c4180a225d071508ac5656717a9cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	2c4180a225d071508ac5656717a9cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	2c4180a225d071508ac5656717a9cb30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	2c4180a225d071508ac5656717a9cb30N.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2116	2c4180a225d071508ac5656717a9cb30N.exe
2116	2c4180a225d071508ac5656717a9cb30N.exe
2116	2c4180a225d071508ac5656717a9cb30N.exe
2116	2c4180a225d071508ac5656717a9cb30N.exe
2116	2c4180a225d071508ac5656717a9cb30N.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2116	2c4180a225d071508ac5656717a9cb30N.exe
2116	2c4180a225d071508ac5656717a9cb30N.exe
2116	2c4180a225d071508ac5656717a9cb30N.exe
2116	2c4180a225d071508ac5656717a9cb30N.exe
2116	2c4180a225d071508ac5656717a9cb30N.exe

C:\Users\Admin\AppData\Local\Temp\2c4180a225d071508ac5656717a9cb30N.exe
"C:\Users\Admin\AppData\Local\Temp\2c4180a225d071508ac5656717a9cb30N.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2116-29-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads