Overview

overview

9

Static

static

1

inst.exe

windows7-x64

9

inst.exe

windows10-2004-x64

8

inst.exe

windows10-ltsc 2021-x64

7

inst.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    84s
  • max time network
    83s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31-10-2024 08:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    inst.exe

  • Size

    3.9MB

  • MD5

    f9f52016bd031244dd8228708ae070e0

  • SHA1

    85b2e0f45ead4169c9fe1b1afcfdb345a050f307

  • SHA256

    bf17843d7b4820828188de09cf351f6be435de32c6876fffc7952a63b9a71bde

  • SHA512

    6a91ca5bc6abb094076004551f77d3efa3b470ff9eba2fffa2273441b73c4d4d570235d1ca6416e84711e1ec7c72a51429e2498efebd942c4a02b7072a6be8d4

  • SSDEEP

    98304:FlBo/r7J2a4FL8VdL0hvADfHraEk1qhJonrnYVIq:NoD7x4yVdDfLa8kg

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\inst.exe
    "C:\Users\Admin\AppData\Local\Temp\inst.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\{00B16168-7418-464e-A20F-2FE98BFBB9FA}.tmp
    Filesize

    15KB

    MD5

    3641846128e0a27a28ca0dba8942b896

    SHA1

    88c40c9923ab48e0c01883a773e297541ce49882

    SHA256

    cbf7cd45fe193e0a438ce14b0176077762e984f897091a682f9e866983da9174

    SHA512

    15910e5a279f17ea06618cb8dcbb64fe8f8e6f5061fc14bca6a92ff2795cf64eaceb2067104358a014079550ca1b4f24200935e2f10b1ede6622d94794047550

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{280AEB34-1F5B-49d7-AABC-6E0978E7B395}.tmp
    Filesize

    1KB

    MD5

    402c9d31e2079948e743562cb48af2a6

    SHA1

    5111e39a19e0675a44369e03d4a82132f0d12977

    SHA256

    d82df7afa80ab17cf1d298488c66902f192034b6bb18176f5bd5c5b74e348e79

    SHA512

    27510489faa6562507cbdb0b5f545d9124d6ba59d41a65224dd6089a9c8331279ce83905b26d41453255bda660fbaae957e0e17d43350dfcb86603888177c760

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{5C1A6AC7-69C7-40cc-A78F-29ADA35015BB}.tmp
    Filesize

    14KB

    MD5

    10af715dfb97b8a187f81555c8e6068b

    SHA1

    c108e08d53a6ec711f1ba70fdbd7561ce483cbcd

    SHA256

    ee7f804a1c73b6d6935ff731ae87aefbbd1abe16dc5ff315c5d8d91e283c902d

    SHA512

    fdca596438fdd60c88de69367abc70d6cbff318d8381eb4155fa257690f26d95c9a13131f676654bed27be458a6df67cbe1d713de9826cf955723f6a92fc5bbb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll
    Filesize

    1.4MB

    MD5

    a2ff2c72e739e0cf4c73b623444ca39d

    SHA1

    ff886e63c894a20f30c136a8264cfa33d41b8331

    SHA256

    c1eb83993c85e01ee6ae84eb6e05744ff8c3ccc02c41d09c22286e3012ef46fc

    SHA512

    844dab35a1625d5bf1bd814a36fb80d5670d3dfee5cf65ad8be53784b486dcc08898b7577a323c7c7e1e83655f861ea86c5453cfa4c3d55353d329ef3af6320b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\NewInstallAir\NewInstallAir.ui
    Filesize

    1.1MB

    MD5

    44c8df596b52856eb1d3fe2e37cbde4d

    SHA1

    4aadbeef9dc6cd4ccac758ebdb852915c09545df

    SHA256

    ecdda2fb9eb27f1b56349e2abfe90ce2f8741b982a3dd6d248e7d93e6b75de2c

    SHA512

    ea94ed1662efd2f6d91b4d05059dfadd8f290eedbb45433e33f3b4e3729822a40e0c63d319f2041f3f1738650219200d594ced9e36b558aff0a494fab53a0e47

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\theme_NewInstallAir.xml
    Filesize

    27KB

    MD5

    8074e9740a0e3cfda172ad1983c72a05

    SHA1

    b6d006adaff1fd059268517b6bd5610ef15d3ba9

    SHA256

    e4ed337a562aac81005d451cfd4aef721cf067ecbc6d1057601aefc41ee83e26

    SHA512

    f6680cf19b512060b6ed1c0f88c8ee31a1be456a37204cb63073e0ac58a2b0f544dcc0dabf0829f28687c2842043d21d41b2f172cb15698316ebf0f2bc89c445

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{A5370464-B0CC-4705-B6EA-97C53D4E704F}.tmp\360P2SP.dll
    Filesize

    688KB

    MD5

    d875875eb3282b692ab10e946ea22361

    SHA1

    34bcef8a8cb0e1db44671892ac3cbd74d3c541a8

    SHA256

    0eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016

    SHA512

    972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c

    Download Submit

  • memory/1652-34-0x0000000004410000-0x0000000004411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1652-47-0x0000000004410000-0x0000000004411000-memory.dmp

    Filesize

    4KB

    Download