ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33

Analysis

max time kernel
17s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:49

Sharing

Copy URL

Twitter E-mail

Reason

Reading agent response: read tcp 10.127.0.1:35352->10.127.0.75:8000: read: connection reset by peer

Report Analysis Logs

General

Target

ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe
Size

10KB
MD5

f6ec322450da7ee7f89092d4f7fb370a
SHA1

50792442361e3fd992f17361cb1611ced431aad5
SHA256

ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33
SHA512

edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955
SSDEEP

192:3rqvqucLm8WrcchKMqiJQjwPRn4sU9Vw:3rUqbOPhKMqkPws

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sys3.exe

pid process

968 sys3.exe
Deletes itself 1 IoCs

Processes:

sys3.exe

pid process

968 sys3.exe

pid	process
968	sys3.exe

pid	process
968	sys3.exe

Loads dropped DLL 2 IoCs

Processes:

ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe

pid	process
1380	ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe
1380	ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exesys3.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sys3.exe

description pid process

Token: SeShutdownPrivilege 968 sys3.exe

description	pid	process
Token: SeShutdownPrivilege	968	sys3.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe

description	pid	process	target process
PID 1380 wrote to memory of 968	1380	ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe	sys3.exe
PID 1380 wrote to memory of 968	1380	ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe	sys3.exe
PID 1380 wrote to memory of 968	1380	ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe	sys3.exe
PID 1380 wrote to memory of 968	1380	ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe	sys3.exe

C:\Users\Admin\AppData\Local\Temp\ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe
"C:\Users\Admin\AppData\Local\Temp\ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sys3.exe
Filesize
10KB

MD5
f6ec322450da7ee7f89092d4f7fb370a

SHA1
50792442361e3fd992f17361cb1611ced431aad5

SHA256
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33

SHA512
edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt
Filesize
102B

MD5
14ea64272280284cbb1244795075abdc

SHA1
d702e1e380fc524d49b70629c603830edd5af568

SHA256
7cbb09d3f8c0544f4d18377a36e2a2939ad052f6ec39c2eaa5a0814fa5281ab0

SHA512
f677b773db01e90e65b20556af8706c8fb5daafd06430bac38f3b46d5ab78e37f4e754ff7e760b67078ff56a73282b6fa28da1d42eb8977741361694ba8444a1

Download Submit
\Users\Admin\AppData\Local\Temp\sys3.exe
Filesize
10KB

MD5
f6ec322450da7ee7f89092d4f7fb370a

SHA1
50792442361e3fd992f17361cb1611ced431aad5

SHA256
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33

SHA512
edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955

Download Submit
\Users\Admin\AppData\Local\Temp\sys3.exe
Filesize
10KB

MD5
f6ec322450da7ee7f89092d4f7fb370a

SHA1
50792442361e3fd992f17361cb1611ced431aad5

SHA256
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33

SHA512
edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955

Download Submit
memory/584-62-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/968-57-0x0000000000000000-mapping.dmp

Download
memory/1380-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1380-59-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads