Overview

overview

10

Static

static

3

Recovery.exe

windows11-21h2-x64

10

Resubmissions

19-11-2024 17:09

241119-vn7sxsydpa 10

19-11-2024 03:18

241119-dtmlhazapb 10

19-11-2024 03:11

241119-dp3f6azgpp 10

19-11-2024 03:07

241119-dmstyazgnj 10

Analysis

  • max time kernel
    53s
  • max time network
    29s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-11-2024 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Recovery.exe

  • Size

    107KB

  • MD5

    d90957d3cd23fbe36dedf1de6faa40d7

  • SHA1

    d4eaf5265a509389673f78621f2b8fad4469534b

  • SHA256

    d5acc827ecfc0a6944eb3b7fe4e1de10c433f8bacbf9e5ac576a5fbd55219f36

  • SHA512

    aee281bbeace797741126ccdb5b516bfb265b6630f16ffaf44ad840383e42ea11e5fe9b30518c2de652dfc2dfc8521523f99b8e39d79d28691e6049de843c12f

  • SSDEEP

    3072:gL06G8Hl9Sfhw4mzbW/hg0cYpG1RgN1UeeXB:gL48F9S2NbAhg0cYpG1RgN1Ues

Score
10/10
bootkitdiscoveryevasionexploitpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
    evasiontrojan
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Blocks application from running via registry modification 9 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Possible privilege escalation attempt 6 IoCs
    exploit
  • Modifies file permissions 1 TTPs 6 IoCs
    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 11 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Recovery.exe
    "C:\Users\Admin\AppData\Local\Temp\Recovery.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Blocks application from running via registry modification
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Writes to the Master Boot Record (MBR)
    • Modifies Control Panel
    • Modifies Internet Explorer start page
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4392
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5308
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32 /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:5228
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\drivers
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:5816
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\drivers /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1280
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant %username%:F exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\winlogon.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:5716
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\winlogon.exe /grant Admin:F exit
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:6128
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:6012
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99045cc40,0x7ff99045cc4c,0x7ff99045cc58
      2⤵
        PID:1592

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    File and Directory Permissions Modification

    1
    T1222

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    7
    T1112

    Pre-OS Boot

    1
    T1542

    Bootkit

    1
    T1542.003

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1584-20-0x00007FF9A1EF0000-0x00007FF9A2268000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/1584-19-0x00007FF67FE90000-0x00007FF67FEFC000-memory.dmp

      Filesize

      432KB

      Download

    • memory/4392-12-0x00007FF9A1EF0000-0x00007FF9A2268000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/4392-15-0x00007FF9A2F90000-0x00007FF9A303F000-memory.dmp

      Filesize

      700KB

      Download

    • memory/4392-4-0x00007FF994253000-0x00007FF994255000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4392-5-0x00007FF99E570000-0x00007FF99E601000-memory.dmp

      Filesize

      580KB

      Download

    • memory/4392-6-0x00007FF9A32A0000-0x00007FF9A334E000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4392-7-0x00007FF990200000-0x00007FF99021D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/4392-8-0x00007FF98D020000-0x00007FF98D0CC000-memory.dmp

      Filesize

      688KB

      Download

    • memory/4392-9-0x00007FF994250000-0x00007FF994D12000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4392-0-0x00007FF994253000-0x00007FF994255000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4392-3-0x00007FF994250000-0x00007FF994D12000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4392-2-0x00000000009B0000-0x00000000009B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4392-1-0x0000000000280000-0x00000000002A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4392-18-0x00007FF997EA0000-0x00007FF997F05000-memory.dmp

      Filesize

      404KB

      Download

    • memory/4392-16-0x00007FF9A0BE0000-0x00007FF9A0C2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4392-13-0x00007FF9A10F0000-0x00007FF9A116F000-memory.dmp

      Filesize

      508KB

      Download

    • memory/4392-23-0x00007FF9A1EF0000-0x00007FF9A2268000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/4392-49-0x00007FF9A38B0000-0x00007FF9A38D9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/4392-50-0x00007FF9A0FD0000-0x00007FF9A10E2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4392-51-0x00007FF9A1EF0000-0x00007FF9A2268000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/4392-56-0x00007FF98B560000-0x00007FF98B586000-memory.dmp

      Filesize

      152KB

      Download