3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078

Analysis

max time kernel
34s
max time network
9s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 23:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
Size

2.7MB
MD5

0c9a63fe8d09e44833a48d26eb9c634a
SHA1

0293e13b24fe5c9201135b2ce73235d084b3ae6e
SHA256

3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078
SHA512

33c42f09a1cfc6db164b6be18da64d6db5c736d1e4e3bb8a7f6b119d3dc553d4f58d72d6b92db6d8584ed4b55ffb73c29833fd5c8e18951289f2ba8fe34bf569
SSDEEP

49152:ksVGhAsgp8UcrENXrsVGhAsgp8UcrENXU:/VC1CZMewVC1CZMek

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
2508	3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe

C:\Users\Admin\AppData\Local\Temp\3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe
"C:\Users\Admin\AppData\Local\Temp\3f1fca90e47b6f96893f43019663f5b06b020fd6a228998e4ab117ef33565078.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
33KB

MD5
1ab5ecb42ea7ef15f193597d73f68407

SHA1
6591c5109dff669c486dbd07cd1d6f58e19b403e

SHA256
1204e441ab63f82e7b3c4eb3aa3effd77a7c5c6b542e37b39b3aaaeecbe7aeca

SHA512
1a4cd24a79bbbcabdc694947da81cc1d8bccd771b55b6fdfe9859e25b82a832b1ec525490d438e876d2d9b55cdfdae5995562b8b4805f5dc37066acde97bd82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
90KB

MD5
d95b0330577bbdbb581eba068cf743eb

SHA1
2cdf62b334c62b50a4755b899ec2fa0e7ee4d7fd

SHA256
456899477dffe1ddf82f0a96a5784a315f49734ae9f4b00ef4966c69f3e71973

SHA512
5942c6fa939b8528dc474dfd3c69d5c4e5be3af8c8015f317dd255d69d6c710660e6172424c2879bd2e342893d3d60c63df37854afc54013655695427e27d9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
32KB

MD5
bb1cd4129a323e7a721726777b8cec30

SHA1
083e1e9edb5676c72dc66be0843e93a8d266b421

SHA256
6ecbdcd7655571ab76bdecd95996a9a15513dbdfd5d0d6d90dfb81bf9909b326

SHA512
f25dd14e4358d725724d40bdf2a27daa5d9b7436bacaff09b633c9780a58ceed5ca369a903489e4db3daf30d58b3ad74d2eba43a23093bbeed5cc791266c15bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
16KB

MD5
6cc5f877afd3637c00ef2f68ce633607

SHA1
612a3a6528ed4181fdb04ca261f9f034a96a8603

SHA256
cc22dec58ee9b9fc4445c8d3d402ce4b7f47e82daa35d725315e4cb11db1ad6d

SHA512
0c5501b8d96ab7fdadcefb27b252e182eaccfc7df426e928964131cfb5d15e9ceee9a9d0d4b3d3cb2769b63ce69a286e66f88ba4a2e527c4977f7392f5f6c14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
61KB

MD5
5870ec872a8fce4e4959bd2d73f05015

SHA1
1fd14293def33d06c1db9a7e9dcc0ed4eb20b33c

SHA256
9302800c990263735ba7f0c6719bff856e31b3c947550f746aa67c3638b02c5b

SHA512
6d44c96da98fbb24f5122ffdaaea247fcfd40f5a445a05c076b4f0c955e3095c685a05c332519ce6a8e3a79986e5c55527be7a0e862a6ecbc22711143861a194

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
29KB

MD5
c2fcd0a0806818f3d8e444917b63bfb1

SHA1
e9015f9f6fbef0313114f7e66087a32fae89ecd9

SHA256
045b0d83e507ab83756b89d12fb5174ee13006cf35465025b5df6d8805b504a8

SHA512
9951b422e307531f39e865d8b66eebd8bdf5fd87d7be3cd62539cb2f5d693f05673dd3582304976c57eb9e89f72324adcde9d8369cfe7d200453b40c548bdc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
36KB

MD5
c179fa29e99ecab0d5ff6638de274bf0

SHA1
0e42f98a05c5a4d91092ebc3475e4967787869eb

SHA256
a5c873628ea34716ae5967d42556f64b1817cd84e70ae0618d6afadebf9450c7

SHA512
a24a34e422da6261108e12d66d385b7eb06a6d4dc4be68cab3eab4e1bebb64af4670ac6410ed4563dc6af9b5f3d89b6d514900e73da3360f1232de3415bcef3a

Download Submit
memory/2508-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2508-137-0x0000000002300000-0x0000000002338000-memory.dmp

Filesize
224KB

Download
memory/2508-136-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2508-140-0x0000000002570000-0x0000000002581000-memory.dmp

Filesize
68KB

Download
memory/2508-143-0x0000000002590000-0x00000000025AE000-memory.dmp

Filesize
120KB

Download