63366bfe1a68cfcbddb59b2ad7c1c4c5cce873fec32d2105d067a6a0548702f3 | Triage

Submit
Reports

Overview

overview

8

Static

static

1

1-18.py

windows7-x64

3

1-18.py

windows10-2004-x64

Sharing

General

Target

1-18.py
Size

110B
Sample

241005-tkz38s1eja
MD5

0198828033bd8c3613d000b906dd1228
SHA1

fd85f3f468d882293a88c016cba32bcbf7d439a3
SHA256

63366bfe1a68cfcbddb59b2ad7c1c4c5cce873fec32d2105d067a6a0548702f3
SHA512

2a4f00eec9f721184b59fa670400d56079495c20dea58aa6f14afd9558bedbc0a0e0c3d10de46f7b5e01a31afdfabc11ec687ea7dc0cb2f89cac5e8554927bd2

Score

8^/10

bootkit discovery persistence privilege_escalation

Static task

static1

Behavioral task

behavioral1

Sample

1-18.py

Resource

win7-20240903-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

1-18.py

Resource

win10v2004-20240802-en

bootkit discovery persistence privilege_escalation

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Targets

- Target
  
  1-18.py
- Size
  
  110B
- MD5
  
  0198828033bd8c3613d000b906dd1228
- SHA1
  
  fd85f3f468d882293a88c016cba32bcbf7d439a3
- SHA256
  
  63366bfe1a68cfcbddb59b2ad7c1c4c5cce873fec32d2105d067a6a0548702f3
- SHA512
  
  2a4f00eec9f721184b59fa670400d56079495c20dea58aa6f14afd9558bedbc0a0e0c3d10de46f7b5e01a31afdfabc11ec687ea7dc0cb2f89cac5e8554927bd2
Score

8^/10

discovery bootkit persistence privilege_escalation
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bootkitdiscoverypersistenceprivilege_escalation

© 2018-2025

Terms | Privacy