8968bebdc8a4a219676d0f03e4b9aa967f66dffedea0f165e4d99efce81443f7 | Triage

Submit
Reports

Overview

overview

7

Static

static

1

ABTech.exe

windows7-x64

4

ABTech.exe

windows10-2004-x64

7

Sharing

General

Target

ABTech.exe
Size

141.7MB
Sample

241121-lzr26s1lfs
MD5

1434c3fbbc8aadd0bdbeb17188ecbb30
SHA1

87dd89f9645e0aad3a83a5e6a88fb32609811175
SHA256

8968bebdc8a4a219676d0f03e4b9aa967f66dffedea0f165e4d99efce81443f7
SHA512

18e0edff038df5b463081da229f7f426747759761d9aae75f1542cad1eadd12ab387bd0b978314259954919172bfb0881b59060ba15b765a936a9a0af4af7889
SSDEEP

3145728:i9J2fFh9HdLSysODYjBxpxYES+LqOI4MTzU4UcpaPbHn:PFh9HpOWUBxp7SiqtTzEcpQH

Score

7^/10

bootkit discovery persistence phishing privilege_escalation

Static task

static1

Behavioral task

behavioral1

Sample

ABTech.exe

Resource

win7-20241010-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

ABTech.exe

Resource

win10v2004-20241007-en

bootkit discovery persistence phishing privilege_escalation

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Targets

- Target
  
  ABTech.exe
- Size
  
  141.7MB
- MD5
  
  1434c3fbbc8aadd0bdbeb17188ecbb30
- SHA1
  
  87dd89f9645e0aad3a83a5e6a88fb32609811175
- SHA256
  
  8968bebdc8a4a219676d0f03e4b9aa967f66dffedea0f165e4d99efce81443f7
- SHA512
  
  18e0edff038df5b463081da229f7f426747759761d9aae75f1542cad1eadd12ab387bd0b978314259954919172bfb0881b59060ba15b765a936a9a0af4af7889
- SSDEEP
  
  3145728:i9J2fFh9HdLSysODYjBxpxYES+LqOI4MTzU4UcpaPbHn:PFh9HpOWUBxp7SiqtTzEcpQH
Score

7^/10

discovery bootkit persistence phishing privilege_escalation
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bootkitdiscoverypersistencephishingprivilege_escalation

© 2018-2024

Terms | Privacy