bf17843d7b4820828188de09cf351f6be435de32c6876fffc7952a63b9a71bde

Analysis

max time kernel
100s
max time network
118s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31-10-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inst.exe
Size

3.9MB
MD5

f9f52016bd031244dd8228708ae070e0
SHA1

85b2e0f45ead4169c9fe1b1afcfdb345a050f307
SHA256

bf17843d7b4820828188de09cf351f6be435de32c6876fffc7952a63b9a71bde
SHA512

6a91ca5bc6abb094076004551f77d3efa3b470ff9eba2fffa2273441b73c4d4d570235d1ca6416e84711e1ec7c72a51429e2498efebd942c4a02b7072a6be8d4
SSDEEP

98304:FlBo/r7J2a4FL8VdL0hvADfHraEk1qhJonrnYVIq:NoD7x4yVdDfLa8kg

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation	inst.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	AgreementViewer.exe

Loads dropped DLL 3 IoCs

pid	Process
4016	inst.exe
4016	inst.exe
1316	AgreementViewer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	inst.exe
File opened for modification	\??\PHYSICALDRIVE0	inst.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\360\360Safe\{0E3B1A5A-34AD-44fa-8754-BA99C769E55F}.tf	inst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgreementViewer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4016	inst.exe
4016	inst.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4016	inst.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4016	inst.exe
4016	inst.exe
4016	inst.exe
4016	inst.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4016	inst.exe
4016	inst.exe
4016	inst.exe
4016	inst.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4016	inst.exe
1316	AgreementViewer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 1316	4016	inst.exe	90
PID 4016 wrote to memory of 1316	4016	inst.exe	90
PID 4016 wrote to memory of 1316	4016	inst.exe	90

C:\Users\Admin\AppData\Local\Temp\inst.exe
"C:\Users\Admin\AppData\Local\Temp\inst.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\{580F64A1-72AA-4a57-9FE0-60E146B65076}.tmp\AgreementViewer.exe
  "C:\Users\Admin\AppData\Local\Temp\{580F64A1-72AA-4a57-9FE0-60E146B65076}.tmp\AgreementViewer.exe" /Content="C:\Users\Admin\AppData\Local\Temp\{580F64A1-72AA-4a57-9FE0-60E146B65076}.tmp\letter.rtf" /Title="致360安全卫士用户的一封信" /ShowERC
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{18E63D36-A259-4c10-B54A-94EDA1C4C929}.tmp\360P2SP.dll

Filesize
688KB

MD5
d875875eb3282b692ab10e946ea22361

SHA1
34bcef8a8cb0e1db44671892ac3cbd74d3c541a8

SHA256
0eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016

SHA512
972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3AC8D2AD-EC88-4c91-B7A9-0390F914B889}.tmp

Filesize
4KB

MD5
fb5980c478894a0d0999e0541b2eb1d3

SHA1
05a5f8499a04c2898ea4bb896934dde343020293

SHA256
5d297c94d94529bb652405c76bfdd7b2d8365cc6cddc72310ab250242ea12145

SHA512
8a4facd941685cafa4878992e59bf31c2288cb722d69f3b4fbee43d0ce8d4d8563c7d6f01a40b578fed0393d21b7007b018ed0b7bf3a7933e319290db0ec7009

Download Submit
C:\Users\Admin\AppData\Local\Temp\{56362A34-5A79-4d71-8F95-B767E9305146}.tmp

Filesize
2KB

MD5
28a99d7f6f6331ad7912bec237d508d5

SHA1
247715d921b1d90b401d2ea4f372ef3e5ddfdf5c

SHA256
72d936e41f4c9ae8c66e5bf8e58a6b6653651372acd3f198fc9a28fc7325beec

SHA512
b8cd448f724b41dfcbad1dd4d73e7a9eb0aafdcf02229f179125dd0a76a8b180a3a88cb3a51eab5eb4fad87daeb087de2a6c188ffe22f4876334f4025f9fbb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{580F64A1-72AA-4a57-9FE0-60E146B65076}.tmp\AgreementViewer.exe

Filesize
1.6MB

MD5
1d25b2913c139d96cac373f308221c27

SHA1
de255c8cf9cfd6768b08d52615935b63b02090c5

SHA256
6395b9fa2df40c5f45467a3a042a97ee48a162cd52d9a24e839d347013fedf2e

SHA512
f79de06f60895f4ca7ffd06340aed83206d0f61d16dcd61046cc265ed619e027369448fe593564df58543768ddf9c50b370d6abb9b997b50333fbfed21ca71f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{580F64A1-72AA-4a57-9FE0-60E146B65076}.tmp\letter.rtf

Filesize
1KB

MD5
b25819a7e2e15a5f7af4e83aa90749f6

SHA1
646c6102018e46127837d4a3c613fd7b2f5e4700

SHA256
03501ad0692e1cba2fcfbe863f2430c345d02cddb8657f180e3d150af6823e45

SHA512
55a37ee0fa6658563681229ddc92a65a72e9cf44d5e382aed8c07666ea2790b1beeccaf9cc9eaa7093a832300603276f707fe5fb58dcb090a81c1be818bfb1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{580F64A1-72AA-4a57-9FE0-60E146B65076}.tmp\sites.dll

Filesize
1.4MB

MD5
b6573421fa6713e7060af7298af28804

SHA1
59a58d8dec778c6937cf261f16a5ef3aad9de315

SHA256
23d2b040f587a2823b2aa35a1de221fa485c78f2ba230a38913ba149a0458b5d

SHA512
431f1ecb1c269bddcc4466f0c60149cab0ea7684a58e0394fb5c80180a7eefa0476f0894c9371fb889e5f20e3487e03b534624e270dba1ce2cb70acbfa248336

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7A8BCCE6-7FA1-4279-B0E2-68FF03DC896F}.tmp

Filesize
1KB

MD5
23545f16d9df345985bd3219e1c63186

SHA1
6135202057e821c169417ecf79dce850c1909cd5

SHA256
c0c661230b1bd30f5f76e2a68bb0120f27fb274779953a5393e22bb5a1dcc624

SHA512
8475a26e973fd49bfa22703de41996b7e95287154de030b6ed4364b0cbdbe4bef9be2f46fac649a460be6c5feb4086224323e36b7c18c6070e98d2e20e2d234b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9CFDA8DD-A5F2-46ba-9566-D4093ABF76B0}.tmp

Filesize
1KB

MD5
402c9d31e2079948e743562cb48af2a6

SHA1
5111e39a19e0675a44369e03d4a82132f0d12977

SHA256
d82df7afa80ab17cf1d298488c66902f192034b6bb18176f5bd5c5b74e348e79

SHA512
27510489faa6562507cbdb0b5f545d9124d6ba59d41a65224dd6089a9c8331279ce83905b26d41453255bda660fbaae957e0e17d43350dfcb86603888177c760

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll

Filesize
1.4MB

MD5
a2ff2c72e739e0cf4c73b623444ca39d

SHA1
ff886e63c894a20f30c136a8264cfa33d41b8331

SHA256
c1eb83993c85e01ee6ae84eb6e05744ff8c3ccc02c41d09c22286e3012ef46fc

SHA512
844dab35a1625d5bf1bd814a36fb80d5670d3dfee5cf65ad8be53784b486dcc08898b7577a323c7c7e1e83655f861ea86c5453cfa4c3d55353d329ef3af6320b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\NewInstallAir\NewInstallAir.ui

Filesize
1.1MB

MD5
44c8df596b52856eb1d3fe2e37cbde4d

SHA1
4aadbeef9dc6cd4ccac758ebdb852915c09545df

SHA256
ecdda2fb9eb27f1b56349e2abfe90ce2f8741b982a3dd6d248e7d93e6b75de2c

SHA512
ea94ed1662efd2f6d91b4d05059dfadd8f290eedbb45433e33f3b4e3729822a40e0c63d319f2041f3f1738650219200d594ced9e36b558aff0a494fab53a0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\theme_NewInstallAir.xml

Filesize
27KB

MD5
8074e9740a0e3cfda172ad1983c72a05

SHA1
b6d006adaff1fd059268517b6bd5610ef15d3ba9

SHA256
e4ed337a562aac81005d451cfd4aef721cf067ecbc6d1057601aefc41ee83e26

SHA512
f6680cf19b512060b6ed1c0f88c8ee31a1be456a37204cb63073e0ac58a2b0f544dcc0dabf0829f28687c2842043d21d41b2f172cb15698316ebf0f2bc89c445

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A8518060-5C54-4f4f-9979-DE267FE7BC6D}.tmp

Filesize
1KB

MD5
bbf46f99e48e0c21241025dfd79f1a87

SHA1
e8644f8faa90edf7e7f06d327e6bf2112d92bee7

SHA256
c0ec75b44dbecb80d621d4600d124544536efb0a5e40b4cd927f9f8145c61f94

SHA512
64f02d1ff552cff477f41978c00e257a96abcc1f5a589d3f0113118e5dcd5c74dacf38898c9d9152537b0a112823abdfbbc005cec069b140607d9d2af4e73f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AF62559F-FA26-4fd9-BA17-7E1E402EE70C}.tmp

Filesize
14KB

MD5
10af715dfb97b8a187f81555c8e6068b

SHA1
c108e08d53a6ec711f1ba70fdbd7561ce483cbcd

SHA256
ee7f804a1c73b6d6935ff731ae87aefbbd1abe16dc5ff315c5d8d91e283c902d

SHA512
fdca596438fdd60c88de69367abc70d6cbff318d8381eb4155fa257690f26d95c9a13131f676654bed27be458a6df67cbe1d713de9826cf955723f6a92fc5bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CA34F080-81FD-4a79-9E26-A1DADA2A222B}.tmp

Filesize
631B

MD5
b3e4f2b3bfd945dcfb8b89597d62c33a

SHA1
3671807b21cfa22a9f22e97b91c55c5b45b50059

SHA256
6c393360869431bd8d770afad267493bf9c4ed25080983b2e4608f51bb3e258c

SHA512
315779049170da71baab255f14a1ac2e0b0fb914a9ba023b3d7e1189b9d42bb0636c78d4d10771fe194c78424cf06f1e267037dab67b12d370dffe41c3756dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DB87C788-E2F1-4075-AC37-4784C42027C1}.tmp

Filesize
15KB

MD5
3641846128e0a27a28ca0dba8942b896

SHA1
88c40c9923ab48e0c01883a773e297541ce49882

SHA256
cbf7cd45fe193e0a438ce14b0176077762e984f897091a682f9e866983da9174

SHA512
15910e5a279f17ea06618cb8dcbb64fe8f8e6f5061fc14bca6a92ff2795cf64eaceb2067104358a014079550ca1b4f24200935e2f10b1ede6622d94794047550

Download Submit
memory/1316-93-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/4016-47-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/4016-34-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download