Overview

overview

7

Static

static

3

465fc53fb7...c4.exe

windows7-x64

7

465fc53fb7...c4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    465fc53fb7406b640565287a6c9b253ec523c4c1ac0e31b7d270b9e1959777c4.exe

  • Size

    1.6MB

  • MD5

    1606310132423f317a90ee2a01f048e9

  • SHA1

    3a934793eaba1a632fab519a9f58ee2d1d6ebf7e

  • SHA256

    465fc53fb7406b640565287a6c9b253ec523c4c1ac0e31b7d270b9e1959777c4

  • SHA512

    f6e6a8194fb0b6cbefc457db1b1f26461a6d4c8dda4c01b45ef82cf7749cc89a9f6c1978244e15794c59b4b618567994c4f8a27ffec8fa99f4e6c6335ecad9fc

  • SSDEEP

    24576:77jjJRtwhWDEXmJFnJjw8a4HXz9iAQEqAm4Duiw60GFkgDLJrWBvO0yjm0n:777b9D9iiqAHJwFgDLJrwvo

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3396
      • C:\Users\Admin\AppData\Local\Temp\465fc53fb7406b640565287a6c9b253ec523c4c1ac0e31b7d270b9e1959777c4.exe
        "C:\Users\Admin\AppData\Local\Temp\465fc53fb7406b640565287a6c9b253ec523c4c1ac0e31b7d270b9e1959777c4.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA75C.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Users\Admin\AppData\Local\Temp\465fc53fb7406b640565287a6c9b253ec523c4c1ac0e31b7d270b9e1959777c4.exe
            "C:\Users\Admin\AppData\Local\Temp\465fc53fb7406b640565287a6c9b253ec523c4c1ac0e31b7d270b9e1959777c4.exe"
            4⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            • System Location Discovery: System Language Discovery
            PID:2744
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4976
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
      Filesize

      244KB

      MD5

      23b14640e3d1a8f6015c5fd1109d204b

      SHA1

      6dd9960e661aa9e132943ff86b201ca50f40b5c0

      SHA256

      db80fb4d1bd023167f4a88559f3f8cee8ad92f237be8b8f0122be0acb2644845

      SHA512

      932323fc060b6225a70f6792747914085b6d952c948e2b404e68d5cc3cf7e9cd2bed1cebc2c190262bf0f2963be41c0cc31ba56001f86301486e04d374b017d9

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      570KB

      MD5

      de9e360e0645c5ca6fcadc535349fd0a

      SHA1

      5c6708b6fbcb5b77b151caa0f019bfd6059daf39

      SHA256

      44e4bb89ae548437dc66df1372b524c43c847e040cbdc3f29a74b6e503808aac

      SHA512

      58a32506954131637da992fac681a673273ebb006cbc6a2f902c5363a04c5e37c05ef46051646a14dbce42b0ba00b98cd2a9c6a8c25109b721aab15b785a84ba

      Download Submit

    • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
      Filesize

      636KB

      MD5

      2500f702e2b9632127c14e4eaae5d424

      SHA1

      8726fef12958265214eeb58001c995629834b13a

      SHA256

      82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

      SHA512

      f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aA75C.bat
      Filesize

      722B

      MD5

      67413fefc78bb63bd0a6d3be23eb6a44

      SHA1

      951c4adab7b8d0b61637157be468a3571926c895

      SHA256

      20ffcb95c95c749627ff8a12b4c59b7e52dabb1ac071ff1eb59f42d47faa848c

      SHA512

      0addf9f3f990b012aee55fe87262ccc7e5d31fa185e3902fd207ddbe4f20ff592d6b0b7c16293429b7b0b8c711ff9c3cf58fd16e878ea733020598d9b71ae545

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\465fc53fb7406b640565287a6c9b253ec523c4c1ac0e31b7d270b9e1959777c4.exe.exe
      Filesize

      1.6MB

      MD5

      dbef7929df17f21ec8427c6a5a98ca25

      SHA1

      7d059084c088f472db8e4e35f47082c4e18654cd

      SHA256

      66b0229295b9798d15a2e3d69cf59d021e26268c33bc5876a6cfe32f2e79f8b2

      SHA512

      01cafbe6c31a1666101d89cec8a7c7645fa0cc7656a7296f5dcaf63f6f3cca915d14d525d1aac4d49aa778c404882d98bdffec7f4a77fcce382f088b12a934b3

      Download Submit

    • C:\Windows\rundl132.exe
      Filesize

      26KB

      MD5

      0a9fcb5422705ccc52b97a0f291ad9bc

      SHA1

      1464f8724a42524e5dc47483eb6288e9c34fec22

      SHA256

      85272876bcd6492a6bb54bfc95d2c4dc6d8cbee27dc11f7a60cad6620954a933

      SHA512

      f719785fecf4087ebd2ca0ff8ade00136472ab2b41dedcf3a9ecbb902f669c7449b395d0c92a9c2e6514dc48447c9eafaa54baf667f0050c42d212a08e632c3b

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\_desktop.ini
      Filesize

      10B

      MD5

      688d58fa5756a393f9472937ef284c25

      SHA1

      18ee07a5ee8de4fbd046763cd4a55ef2e6c3f808

      SHA256

      e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302

      SHA512

      c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f

      Download Submit

    • memory/2200-9-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2200-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3028-26-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3028-36-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3028-32-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3028-256-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3028-1233-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3028-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3028-4784-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3028-8-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3028-5253-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download