afbf5da99b569974c5e8ccec0286cb4ed45401cce45b6f6c7f05a3d5565db7f0

Resubmissions

13-06-2022 01:51

220613-b9zjwshcd5 6

13-06-2022 01:47

220613-b7zf4shcc5 6

Analysis

max time kernel
43s
max time network
56s
platform
windows7_x64
resource
win7-20220414-en
submitted
13-06-2022 01:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

VAPE4.exe
Size

37.1MB
MD5

c735bff65f7005656d1606bed35c8c96
SHA1

da017a4ab363040ab96fbbd03173e1c01319bd09
SHA256

afbf5da99b569974c5e8ccec0286cb4ed45401cce45b6f6c7f05a3d5565db7f0
SHA512

3bbae0c5c3e2e48e155e0d9eaba955285f4c086acca05d40807cf6037cf5862077878c24235805367f3a1074a715150f7bf96909c31ec5a7c5c4c2e6eff6ca51

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

VAPE4.exe

description ioc process

File opened for modification \??\physicaldrive0 VAPE4.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

VAPE4.exe

pid process

840 VAPE4.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	VAPE4.exe

pid	process
840	VAPE4.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

VAPE4.exeAUDIODG.EXEshutdown.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	840	VAPE4.exe
Token: 33	1544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1544	AUDIODG.EXE
Token: 33	1544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1544	AUDIODG.EXE
Token: SeShutdownPrivilege	268	shutdown.exe
Token: SeRemoteShutdownPrivilege	268	shutdown.exe
Token: SeShutdownPrivilege	1048	shutdown.exe
Token: SeRemoteShutdownPrivilege	1048	shutdown.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

VAPE4.execmd.execmd.execmd.exe

description	pid	process	target process
PID 840 wrote to memory of 1708	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 1708	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 1708	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 472	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 472	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 472	840	VAPE4.exe	cmd.exe
PID 472 wrote to memory of 268	472	cmd.exe	shutdown.exe
PID 472 wrote to memory of 268	472	cmd.exe	shutdown.exe
PID 472 wrote to memory of 268	472	cmd.exe	shutdown.exe
PID 840 wrote to memory of 1184	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 1184	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 1184	840	VAPE4.exe	cmd.exe
PID 1184 wrote to memory of 1048	1184	cmd.exe	shutdown.exe
PID 1184 wrote to memory of 1048	1184	cmd.exe	shutdown.exe
PID 1184 wrote to memory of 1048	1184	cmd.exe	shutdown.exe
PID 840 wrote to memory of 752	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 752	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 752	840	VAPE4.exe	cmd.exe
PID 752 wrote to memory of 1980	752	cmd.exe	shutdown.exe
PID 752 wrote to memory of 1980	752	cmd.exe	shutdown.exe
PID 752 wrote to memory of 1980	752	cmd.exe	shutdown.exe
PID 840 wrote to memory of 1712	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 1712	840	VAPE4.exe	cmd.exe
PID 840 wrote to memory of 1712	840	VAPE4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\VAPE4.exe
"C:\Users\Admin\AppData\Local\Temp\VAPE4.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color c1
2⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -s -t 0
2⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\system32\shutdown.exe
shutdown -s -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -s -t 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -s -t 0
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\system32\shutdown.exe
shutdown -s -t 0
3⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -s -t 0
2⤵
PID:1712

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:828

C:\Windows\system32\shutdown.exe
shutdown -s -t 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1220

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-56-0x0000000000000000-mapping.dmp

Download
memory/472-55-0x0000000000000000-mapping.dmp

Download
memory/752-60-0x0000000000000000-mapping.dmp

Download
memory/828-57-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1048-59-0x0000000000000000-mapping.dmp

Download
memory/1184-58-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x0000000000000000-mapping.dmp

Download
memory/1712-62-0x0000000000000000-mapping.dmp

Download
memory/1980-61-0x0000000000000000-mapping.dmp

Download