Overview

overview

7

Static

static

f5d4809a4a...3b.exe

windows7_x64

7

f5d4809a4a...3b.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    92s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5d4809a4a8314c4a9f2e69ccb358d32c953c3a08dd65900e510b397812fc63b.exe

  • Size

    2.5MB

  • MD5

    ec53b5790e673ab0e0229406ae6ca23c

  • SHA1

    e0d8e903c3b9690b174550b627bfe63d04b39f60

  • SHA256

    f5d4809a4a8314c4a9f2e69ccb358d32c953c3a08dd65900e510b397812fc63b

  • SHA512

    a8a78bc1143ea4df40bf192db846dac6f9aa6c3ee10c6aef24c064ed45c8123953ad9ed8eeb15990a2f6e0e39a6ffc206b7649f5c610c67cb4e48d4efd179c05

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5d4809a4a8314c4a9f2e69ccb358d32c953c3a08dd65900e510b397812fc63b.exe
    "C:\Users\Admin\AppData\Local\Temp\f5d4809a4a8314c4a9f2e69ccb358d32c953c3a08dd65900e510b397812fc63b.exe"
    1⤵
    • Checks BIOS information in registry
    • Writes to the Master Boot Record (MBR)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3308
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 712
      2⤵
      • Program crash
      PID:1448
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3308 -ip 3308
    1⤵
      PID:256

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3308-130-0x0000000000400000-0x000000000089E000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/3308-131-0x0000000000400000-0x000000000089E000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/3308-132-0x0000000000400000-0x000000000089E000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/3308-133-0x0000000005890000-0x0000000007731000-memory.dmp
      Filesize

      30.6MB

      Download
    • memory/3308-134-0x0000000000400000-0x000000000089E000-memory.dmp
      Filesize

      4.6MB

      Download