a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
224s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Target

TrashMalwares-main/Phsyletric.exe
Size

97KB
MD5

4db23cf50f64a83759db9df6ad222d65
SHA1

8ed2c2d8c8c0e5b953559adf6e8765f505cccdd2
SHA256

465f8bf12fe8fc53c9ef45e498b5f9d95b783c61096147bbc09182f6d19dd129
SHA512

615735ab5bbd78c1e72dc2c6b7066d0fe66894d29844e1557bf08af319c5c38c883ac8c5ecc248637d8d91b83aad731be5476a4826b5101a02810f27b2d89644
SSDEEP

3072:MbDwt25lOqFieKe/xzJdekGFq8YbFwIf6Psq1:MbDAEIq396Psq1

Score

6^/10

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Phsyletric.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Phsyletric.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1472 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1472 AUDIODG.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Phsyletric.exe

description	pid	process
Token: 33	1472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1472	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Phsyletric.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\Phsyletric.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:2296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact