Overview

overview

10

Static

static

10

64HZ BootStapper.exe

windows7-x64

7

64HZ BootStapper.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    64HZ BootStapper.exe

  • Size

    112.0MB

  • Sample

    250213-drkn5aspgz

  • MD5

    f2b04935f0d08730d0c1aa4e75a9ff4a

  • SHA1

    e0a42f62e895f4879907de01e5e2d154d8ac7443

  • SHA256

    30e9202e130dd7a29a33f7a25e58b9558821af0c96a44a9b356307cf12025c2f

  • SHA512

    c8c7988768cf9878fcc1d01cad68ba89ee52271e05c17edd6da81108223d8ea0d04f213c9ecf7a10fbcbdb1b4cb161adc351b32c6a559fa10b2353077a7ae33e

  • SSDEEP

    3145728:G3nrJzeibJjz9wHE1L2qHO5iVV6nGQbRe0zJcBzSZ2:Qrn1Zw4HCi01XcBJ

Score
10/10
pysilondefense_evasiondiscoveryexecutionpersistencepyinstaller

Malware Config

Targets

    • Target

      64HZ BootStapper.exe

    • Size

      112.0MB

    • MD5

      f2b04935f0d08730d0c1aa4e75a9ff4a

    • SHA1

      e0a42f62e895f4879907de01e5e2d154d8ac7443

    • SHA256

      30e9202e130dd7a29a33f7a25e58b9558821af0c96a44a9b356307cf12025c2f

    • SHA512

      c8c7988768cf9878fcc1d01cad68ba89ee52271e05c17edd6da81108223d8ea0d04f213c9ecf7a10fbcbdb1b4cb161adc351b32c6a559fa10b2353077a7ae33e

    • SSDEEP

      3145728:G3nrJzeibJjz9wHE1L2qHO5iVV6nGQbRe0zJcBzSZ2:Qrn1Zw4HCi01XcBJ

    Score
    9/10
    defense_evasiondiscoveryexecutionpersistence

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

File and Directory Discovery

1
T1083

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks