Overview

overview

10

Static

static

3

css/1.bat

windows7-x64

1

css/1.bat

windows10-2004-x64

1

css/2.bat

windows7-x64

8

css/2.bat

windows10-2004-x64

8

css/d.exe

windows7-x64

1

css/d.exe

windows10-2004-x64

10

css/goto.exe

windows7-x64

6

css/goto.exe

windows10-2004-x64

6

Resubmissions

07-01-2025 19:22

250107-x3kcaavmb1 10

07-01-2025 07:44

250107-jk35sa1mex 10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2025 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    css/goto.exe

  • Size

    2.6MB

  • MD5

    5d994ed0be59ab5f2f0242706b8b3b55

  • SHA1

    b7787d1050691e9dbc5ef6dadc80c36761ae9697

  • SHA256

    74533489c6609b07b00e578d98af29dd6250ddd800e5ecf5743cd9af2e2f24f3

  • SHA512

    86c9e160b7b9015c790254857526aa554a020888383638eb4787a4f700b299cd16e26c08e4dac823be8832274eb3bc74421932e9bb880e44062053fc49f1de27

  • SSDEEP

    49152:dJp9NvSqm1wFE5eBe0/4tmsHfK99IvS0mmvQDTGJt0P:AqsevwIN9Wn0

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\css\goto.exe
    "C:\Users\Admin\AppData\Local\Temp\css\goto.exe"
    1⤵
    • System policy modification
    PID:2528
  • C:\Users\Admin\AppData\Local\Temp\css\goto.exe
    "C:\Users\Admin\AppData\Local\Temp\css\goto.exe" service
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\css\goto.exe
      "C:\Users\Admin\AppData\Local\Temp\css\goto.exe" Global\GotoHTTP_1
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\css\gotohttp.ini
    Filesize

    74B

    MD5

    4d93c6c5ad3adfcfa6103c6538d4df5d

    SHA1

    206de1901a824c7dca668bfc09187a875115ed5b

    SHA256

    dce530b2e9c60b681280f6623af320de4b31812d3e5de39203c6234d021dd787

    SHA512

    34a7f28ce28aeb27227b0f851a94cc7ba3317b5bc7927970cb405833ed6d0cdbb2678606c00ecaf00579bf6471986d169dcdea0b2788a4f9cbf5a1b9304bb192

    Download Submit

  • memory/2396-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2396-2-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

    Download