Analysis
-
max time kernel
17s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe
Resource
win10v2004-20221111-en
Errors
General
-
Target
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe
-
Size
10KB
-
MD5
f6ec322450da7ee7f89092d4f7fb370a
-
SHA1
50792442361e3fd992f17361cb1611ced431aad5
-
SHA256
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33
-
SHA512
edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955
-
SSDEEP
192:3rqvqucLm8WrcchKMqiJQjwPRn4sU9Vw:3rUqbOPhKMqkPws
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sys3.exepid process 968 sys3.exe -
Deletes itself 1 IoCs
Processes:
sys3.exepid process 968 sys3.exe -
Loads dropped DLL 2 IoCs
Processes:
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exepid process 1380 ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe 1380 ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exesys3.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sys3.exedescription pid process Token: SeShutdownPrivilege 968 sys3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exedescription pid process target process PID 1380 wrote to memory of 968 1380 ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe sys3.exe PID 1380 wrote to memory of 968 1380 ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe sys3.exe PID 1380 wrote to memory of 968 1380 ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe sys3.exe PID 1380 wrote to memory of 968 1380 ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe sys3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe"C:\Users\Admin\AppData\Local\Temp\ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe2⤵
- Executes dropped EXE
- Deletes itself
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sys3.exeFilesize
10KB
MD5f6ec322450da7ee7f89092d4f7fb370a
SHA150792442361e3fd992f17361cb1611ced431aad5
SHA256ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33
SHA512edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955
-
C:\Users\Admin\AppData\Local\Temp\systm.txtFilesize
102B
MD514ea64272280284cbb1244795075abdc
SHA1d702e1e380fc524d49b70629c603830edd5af568
SHA2567cbb09d3f8c0544f4d18377a36e2a2939ad052f6ec39c2eaa5a0814fa5281ab0
SHA512f677b773db01e90e65b20556af8706c8fb5daafd06430bac38f3b46d5ab78e37f4e754ff7e760b67078ff56a73282b6fa28da1d42eb8977741361694ba8444a1
-
\Users\Admin\AppData\Local\Temp\sys3.exeFilesize
10KB
MD5f6ec322450da7ee7f89092d4f7fb370a
SHA150792442361e3fd992f17361cb1611ced431aad5
SHA256ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33
SHA512edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955
-
\Users\Admin\AppData\Local\Temp\sys3.exeFilesize
10KB
MD5f6ec322450da7ee7f89092d4f7fb370a
SHA150792442361e3fd992f17361cb1611ced431aad5
SHA256ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33
SHA512edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955
-
memory/584-62-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmpFilesize
8KB
-
memory/968-57-0x0000000000000000-mapping.dmp
-
memory/1380-54-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/1380-59-0x000000002AA00000-0x000000002AA05000-memory.dmpFilesize
20KB