Analysis
-
max time kernel
0s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 11:23
Errors
Reason
Reading agent response: read tcp 10.127.0.1:36322->10.127.0.176:8000: read: connection timed out
General
-
Target
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe
-
Size
150KB
-
MD5
c72eab8f82ffaebe359824558ae0e994
-
SHA1
2c5a784db6830ca6b6f7bc833b4125ee577da024
-
SHA256
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7
-
SHA512
a033d9883596326d32ba716e2c32ddc99f5656bbaa59c8ab571fbf5ff370854508d75bb51cb38df76953df5da27a0ff8ea1d1d9808da563ceca64d3a431eae6a
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe"C:\Users\Admin\AppData\Local\Temp\bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe"1⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-54-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/1968-55-0x0000000000000000-mapping.dmp