Overview

overview

10

Static

static

5

EaseUS Par...18.exe

windows11-21h2-x64

10

Resubmissions

03-01-2025 22:23

250103-2a2hbayrbk 10

03-01-2025 22:14

250103-15r2payngp 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EaseUS Partition Master Technician 19.5.0 Build 20241118.exe

  • Size

    149.1MB

  • Sample

    250103-2a2hbayrbk

  • MD5

    b504755e56b43207abe5785ea6c32b77

  • SHA1

    72f5e5e8ca2a8ba2915383eb2ea0da4a5ecf3feb

  • SHA256

    84f49de6c23b6a8290518e09935b624203a5b6d091457e93facc8e95e491d45c

  • SHA512

    1baf6bdeaeda0f9508a87bd6c0ad6fe1010154080657275c7b82c86c90886447ddc9c0b29907fe56d8f87d25be27789a905518cb691b03735cb7bda65172e350

  • SSDEEP

    3145728:qxxchkAOY8QjvDI+JgLMTrih0Y73tZufXuVgYmmlAZy:eAOsbsIg4ahdu+K/

Score
10/10
bootkitgooglepaypaldefense_evasiondiscoveryevasionmotwpersistencephishingprivilege_escalation

Malware Config

Targets

    • Target

      EaseUS Partition Master Technician 19.5.0 Build 20241118.exe

    • Size

      149.1MB

    • MD5

      b504755e56b43207abe5785ea6c32b77

    • SHA1

      72f5e5e8ca2a8ba2915383eb2ea0da4a5ecf3feb

    • SHA256

      84f49de6c23b6a8290518e09935b624203a5b6d091457e93facc8e95e491d45c

    • SHA512

      1baf6bdeaeda0f9508a87bd6c0ad6fe1010154080657275c7b82c86c90886447ddc9c0b29907fe56d8f87d25be27789a905518cb691b03735cb7bda65172e350

    • SSDEEP

      3145728:qxxchkAOY8QjvDI+JgLMTrih0Y73tZufXuVgYmmlAZy:eAOsbsIg4ahdu+K/

    Score
    10/10
    bootkitgooglepaypaldefense_evasiondiscoveryevasionmotwpersistencephishingprivilege_escalation

    • Detected google phishing page

      phishinggoogle

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • A potential corporate email address has been identified in the URL: [email protected]

      phishing

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Detected potential entity reuse from brand PAYPAL.

      phishingpaypal

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

3
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

3
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Safe Mode Boot

1
T1562.009

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks