Overview

overview

10

Static

static

3

Recovery.exe

windows7-x64

10

Recovery.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Recovery.exe

  • Size

    107KB

  • Sample

    241119-drz4tazamh

  • MD5

    d90957d3cd23fbe36dedf1de6faa40d7

  • SHA1

    d4eaf5265a509389673f78621f2b8fad4469534b

  • SHA256

    d5acc827ecfc0a6944eb3b7fe4e1de10c433f8bacbf9e5ac576a5fbd55219f36

  • SHA512

    aee281bbeace797741126ccdb5b516bfb265b6630f16ffaf44ad840383e42ea11e5fe9b30518c2de652dfc2dfc8521523f99b8e39d79d28691e6049de843c12f

  • SSDEEP

    3072:gL06G8Hl9Sfhw4mzbW/hg0cYpG1RgN1UeeXB:gL48F9S2NbAhg0cYpG1RgN1Ues

Score
10/10
bootkitdefense_evasiondiscoveryevasionexploitpersistencetrojan

Malware Config

Targets

    • Target

      Recovery.exe

    • Size

      107KB

    • MD5

      d90957d3cd23fbe36dedf1de6faa40d7

    • SHA1

      d4eaf5265a509389673f78621f2b8fad4469534b

    • SHA256

      d5acc827ecfc0a6944eb3b7fe4e1de10c433f8bacbf9e5ac576a5fbd55219f36

    • SHA512

      aee281bbeace797741126ccdb5b516bfb265b6630f16ffaf44ad840383e42ea11e5fe9b30518c2de652dfc2dfc8521523f99b8e39d79d28691e6049de843c12f

    • SSDEEP

      3072:gL06G8Hl9Sfhw4mzbW/hg0cYpG1RgN1UeeXB:gL48F9S2NbAhg0cYpG1RgN1Ues

    Score
    10/10
    bootkitdefense_evasiondiscoveryevasionexploitpersistencetrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

      defense_evasion

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Modifies WinLogon

      persistence

    • Modifies boot configuration data using bcdedit

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

File and Directory Permissions Modification

1
T1222

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Indicator Removal

1
T1070

Network Share Connection Removal

1
T1070.005

Modify Registry

7
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks