Overview

overview

8

Static

static

ad91d4f5be...33.exe

windows7-x64

ad91d4f5be...33.exe

windows10-2004-x64

Analysis

  • max time kernel
    101s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:49

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe

  • Size

    10KB

  • MD5

    f6ec322450da7ee7f89092d4f7fb370a

  • SHA1

    50792442361e3fd992f17361cb1611ced431aad5

  • SHA256

    ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33

  • SHA512

    edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955

  • SSDEEP

    192:3rqvqucLm8WrcchKMqiJQjwPRn4sU9Vw:3rUqbOPhKMqkPws

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe
    "C:\Users\Admin\AppData\Local\Temp\ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Local\Temp\sys3.exe
      C:\Users\Admin\AppData\Local\Temp\\sys3.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39fe055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sys3.exe
    Filesize

    10KB

    MD5

    f6ec322450da7ee7f89092d4f7fb370a

    SHA1

    50792442361e3fd992f17361cb1611ced431aad5

    SHA256

    ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33

    SHA512

    edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\sys3.exe
    Filesize

    10KB

    MD5

    f6ec322450da7ee7f89092d4f7fb370a

    SHA1

    50792442361e3fd992f17361cb1611ced431aad5

    SHA256

    ad91d4f5be9178df7b570e6db5a8d1fded1a95e843b30be108ed821b33504b33

    SHA512

    edf1d87789957597355c46c6343e9718eae70d2b073d5a6ddef4c610007e297aaac877d17a13730f1d8ebc4e1b17d84c9bc2e546d99bb30e63e402bdfef64955

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\systm.txt
    Filesize

    102B

    MD5

    14ea64272280284cbb1244795075abdc

    SHA1

    d702e1e380fc524d49b70629c603830edd5af568

    SHA256

    7cbb09d3f8c0544f4d18377a36e2a2939ad052f6ec39c2eaa5a0814fa5281ab0

    SHA512

    f677b773db01e90e65b20556af8706c8fb5daafd06430bac38f3b46d5ab78e37f4e754ff7e760b67078ff56a73282b6fa28da1d42eb8977741361694ba8444a1

    Download Submit
  • memory/1388-132-0x000000002AA00000-0x000000002AA05000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1388-138-0x000000002AA00000-0x000000002AA05000-memory.dmp
    Filesize

    20KB

    Download
  • memory/2004-133-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-136-0x000000002AA00000-0x000000002AA05000-memory.dmp
    Filesize

    20KB

    Download