Overview

overview

7

Static

static

7

1792EL4.4?...or.exe

windows7-x64

7

1792EL4.4?...or.exe

windows10-2004-x64

7

1792EL4.4?...ne.dll

windows7-x64

7

1792EL4.4?...ne.dll

windows10-2004-x64

7

1792EL4.4?...ce.dll

windows7-x64

7

1792EL4.4?...ce.dll

windows10-2004-x64

7

1792EL4.4?/Update.exe

windows7-x64

1

1792EL4.4?/Update.exe

windows10-2004-x64

1

1792EL4.4?/sign.dll

windows7-x64

1

1792EL4.4?/sign.dll

windows10-2004-x64

1

1792EL4.4?...pi.dll

windows7-x64

3

1792EL4.4?...pi.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c7632a1bbe82c3d2ae9146a0289bc2080d03878dd89fd1d9e9503a9e57af43c4

  • Size

    5.1MB

  • Sample

    240701-e73qbazcqj

  • MD5

    7bfab958a3e53316b755d29ed1231cd7

  • SHA1

    950c63dc75ac79c94188cbb6c35388ba8be690b5

  • SHA256

    c7632a1bbe82c3d2ae9146a0289bc2080d03878dd89fd1d9e9503a9e57af43c4

  • SHA512

    3aa6afeaa75f501472f045a44132620014d4f77b5185f510574725f0657a7a6a22d5577f4be992604fab9e6c2632a17a7146444324b777ed76e9d4cb4d144dff

  • SSDEEP

    98304:2SG9hXzOe+Gf8yn1iTCK3aHaQ9TlOMWiLcVtAHDVBGr8hiNuQjuoFhIkZOo2:2PzFrLn1ifW7WiL9Hqr8hiNTjuoPISON

Score
7/10
bootkitpersistencevmprotect

Malware Config

Targets

    • Target

      1792EL4.4?/ElementsEditor.exe

    • Size

      1.0MB

    • MD5

      0ddb19bd95ae8a7aca1ad5a94e7ffcad

    • SHA1

      1f45083609a8c4aab77a45ba27062649f5991e33

    • SHA256

      f7ee4e1d2cdcae4ea22583854d9fa2cad072741f487cd3f7b547c598caaf66f1

    • SHA512

      aa27d80b9f1bd2d77877ec6d5caf9092cf5d1874347246308948b6095e2522edf744656005554d79485dc87da17246f8f0c4d9df8ca3ced5bd69ce99ac62cb8c

    • SSDEEP

      24576:vbYw5NquEjJoFT39qBKQgn6QrraispwqZJGFiWdM:h5kuE2x39q8N/rraRbY

    Score
    7/10
    bootkitpersistencevmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

    • Target

      1792EL4.4?/ElementsEngine.dll

    • Size

      3.0MB

    • MD5

      9983eef61740b311b2383b869a308b09

    • SHA1

      bfe16190c6bbffcd7f154b0fc34878b3c3282654

    • SHA256

      2916246e84289df1dc43d9b38a06bc6bb3e16ff6043ab79fa6b152ff979e503a

    • SHA512

      4dd586edce7c47a52be5779132c3afe56d637a5e07c9f8c3cbf2ff41c770129a334d9cd58a06d5a82d6a7bee3118d13aa60c36d8101b3221f6eec38aeb47f18c

    • SSDEEP

      49152:4yetB97Xw8Fq/taUpZ338lmtSr+cKwjNdtJNVe7Y1g:8M8FmxZSAGbTV

    Score
    7/10
    bootkitpersistencevmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral3behavioral4

    • Target

      1792EL4.4?/ElementsInterface.dll

    • Size

      111KB

    • MD5

      cd73e6753549f333f966fad7042d041b

    • SHA1

      a3fd44f435816d1c1b0d9dfe5070db7d528b2c2f

    • SHA256

      a33f0ee4eb05724f792dc9693aa6e10fe760982f72620a6936a9c7e27fa888d2

    • SHA512

      241552aab1c693bf9f1d733cead652cb5a785fbd5c8de459600c964fbfc6fc907f2f78bd5e6c66540fe58d13d7dabe6f8808680b1c2d6479b6812ea8ddd6fc8d

    • SSDEEP

      1536:RcNuPF53k4pYR3GrRShh8G8nwv0Jz+qMU4JMKmyjLvGNr63OFfDZ1a9LhyVzKPAt:IOYG0fcoEBMvGNrwOpF1YuzKnzuJ

    Score
    7/10
    bootkitpersistencevmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral5behavioral6

    • Target

      1792EL4.4?/Update.exe

    • Size

      101KB

    • MD5

      1c14f26db6988b324bfeb1347f57f805

    • SHA1

      10495d45e832a7899ca0910c53225e095c8b22c6

    • SHA256

      8e41a0d3e866a0ace0f8c48e60d9e78cd9788189f24449d825e8f8fb6ec8101b

    • SHA512

      b12afbcbab2a4bd4572e55475461bd39d321ad8fda69d9452bcde61e2c37cca732fba409687e3744faf3b85be51eee9080f8f19ce8fb11b2865012b9ec2f859c

    • SSDEEP

      1536:Osc3EPdwBnqcVTdnCnuZIHDgIV0VNUIpWw/eSOdLh:DcgMqcVe9HMIqVBpPeSu

    Score
    1/10
    behavioral7behavioral8

    • Target

      1792EL4.4?/sign.dll

    • Size

      16B

    • MD5

      ba1d77a4795e35282ba2478600da611a

    • SHA1

      430ffdb4ad0435f777bd6a2c72fcbcf8d03c0f76

    • SHA256

      273dad70a0d5de46845ad9e7eb2cb3def0221b9fe3d1fbee3b07bf531ca1707c

    • SHA512

      5d07b542d7bf24d87559ccc46e7cda1c0f86b5dfa5817a6255edc7490b73abc7a904f4ef4a8fe81004da9959b47e6f34873ba80754165411b7d68c67b1e3508d

    Score
    1/10
    behavioral10behavioral9

    • Target

      1792EL4.4?/zlibwapi.dll

    • Size

      71KB

    • MD5

      91a4eeb39ed3054f558795cfcdb13fa8

    • SHA1

      614b4afb945d697ad19560b32af6b686d4171034

    • SHA256

      0d38360003865e84a2842c337d7c440c8ab4c41809cc87b8758df6d852c02afc

    • SHA512

      164d6b5c0869b95e625a36811681ffa037cff1585deff6f2223eb8efcd3b71d5b7c9ac06f41401c43e1394e8e15d255e78b0a081e3fe4b6035f700fdfb0578ab

    • SSDEEP

      1536:EyLPKNqRLWqtQMTkL6/nToIfAIOjIOZodL:E3NNqtJkL6PTBf2FadL

    Score
    3/10
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

3
T1542

Bootkit

3
T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

3
T1542

Bootkit

3
T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks