Analysis
-
max time kernel
0s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 11:23
Static task
static1
Behavioral task
behavioral1
Sample
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe
Resource
win10v2004-20220414-en
Errors
General
-
Target
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe
-
Size
150KB
-
MD5
c72eab8f82ffaebe359824558ae0e994
-
SHA1
2c5a784db6830ca6b6f7bc833b4125ee577da024
-
SHA256
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7
-
SHA512
a033d9883596326d32ba716e2c32ddc99f5656bbaa59c8ab571fbf5ff370854508d75bb51cb38df76953df5da27a0ff8ea1d1d9808da563ceca64d3a431eae6a
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe" bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exedescription ioc process File opened for modification \??\PhysicalDrive0 bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exedescription pid process Token: SeDebugPrivilege 1056 bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exedescription pid process target process PID 1056 wrote to memory of 1968 1056 bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe schtasks.exe PID 1056 wrote to memory of 1968 1056 bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe schtasks.exe PID 1056 wrote to memory of 1968 1056 bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe schtasks.exe PID 1056 wrote to memory of 1968 1056 bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe"C:\Users\Admin\AppData\Local\Temp\bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe"1⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\bc8c6b5788dea27e4052a5023a3f13fb4edee9e190f39d080db89fe5a2fc75d7.exe"2⤵
- Creates scheduled task(s)