Overview

overview

8

Static

static

3

690ca0a28e...08.exe

windows7-x64

8

690ca0a28e...08.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    81a7a946456f1f6dae4715b1feb72ed0.bin

  • Size

    72KB

  • Sample

    241120-btm6xsskdj

  • MD5

    89858704f6f85b78ffcc59b946f150ac

  • SHA1

    7efada3e73a99326a23c9882a10e37104a4d8dfe

  • SHA256

    5af8fea92236dff382f1c6ec7267fd871ddbd302bb511e169b7162683a6809d3

  • SHA512

    6da1fac3c494a7f05324767b69c2385dbb9e4180c4cc4d83cd83409d17a104b6842ed946d1a1b77bf1571e5fa902ed120baef853768d473b8f66956e3901485e

  • SSDEEP

    1536:Sa5XD3bLbmu7snk5R2zxKhq2REJnndyGrHWzIIJbQtB42bun7b2g:Sa5XD3bvmT0R2t/jnndyGrEIIJEJun7/

Score
8/10
bootkitdefense_evasiondiscoveryevasionexploitpersistenceprivilege_escalationupx

Malware Config

Targets

    • Target

      690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe

    • Size

      112KB

    • MD5

      81a7a946456f1f6dae4715b1feb72ed0

    • SHA1

      af83b938017efd53f95671adc0c6d2aa1088d38e

    • SHA256

      690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

    • SHA512

      a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692

    • SSDEEP

      3072:O7DhdC6kzWypvaQ0FxyNTBfHdIyEGfvBN+:OBlkZvaF4NTB/yyEGfvBQ

    Score
    8/10
    bootkitdefense_evasiondiscoveryevasionexploitpersistenceprivilege_escalationupx

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Possible privilege escalation attempt

      exploit

    • Drops startup file

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

      defense_evasion

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Modifies boot configuration data using bcdedit

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Deobfuscate/Decode Files or Information

1
T1140

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks