Overview

overview

6

Static

static

d64cd96867...73.exe

windows7_x64

6

d64cd96867...73.exe

windows10-2004_x64

6

Analysis

  • max time kernel
    38s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-05-2022 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe

  • Size

    21KB

  • MD5

    fb0a226376d060173dea88a60f19661b

  • SHA1

    331cc3e10b234ff4b27b9a19cd76516fab3043eb

  • SHA256

    d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773

  • SHA512

    e4d978c8f88db943c5602fda998f93ba3d09a6169e7e9f39bd025d86dd21ab985492787e741c5ab207af2c33e988f75f8e7e190d59fb25b8be152dccd550fe88

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Program crash 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe
    "C:\Users\Admin\AppData\Local\Temp\d64cd968677e2d02f1f11edd05d56994eafb6d9687d6e0aa5b98718e24f8c773.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 156
        3⤵
        • Program crash
        PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1012-54-0x0000000000000000-mapping.dmp
    Download
  • memory/2024-55-0x0000000014140000-0x0000000014149000-memory.dmp
    Filesize

    36KB

    Download