7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 23:18

Target

7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe
Size

972KB
MD5

7e6204584c0ae455836d2d9733a32b70
SHA1

3bc0e6cd46ecba671b305c293eb4874cc392844b
SHA256

7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3
SHA512

ffd13b1ab3ffa691db025d21a28cc5b6a0ad707262bee93244a00ea4760938cb489a93defe7b0507ca04fa2ca45b5df01f85c91e8cc4563e4ff1d8594f89d82c
SSDEEP

12288:npZ7RqTHG1GtRmjWjRlgivK2YyUxUi2MOOpnjuNIOHeOPYxYIswU6fsDukauZHc6:f7YTmhUlV4xUlOJjuN5HeU+hXJetGj

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1688 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe

description ioc process

File opened for modification \??\PhysicalDrive0 7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

776 PING.EXE

pid	process
1688	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe

pid	process
776	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.execmd.exe

description	pid	process	target process
PID 1812 wrote to memory of 1688	1812	7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe	cmd.exe
PID 1812 wrote to memory of 1688	1812	7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe	cmd.exe
PID 1812 wrote to memory of 1688	1812	7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe	cmd.exe
PID 1812 wrote to memory of 1688	1812	7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe	cmd.exe
PID 1688 wrote to memory of 776	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 776	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 776	1688	cmd.exe	PING.EXE
PID 1688 wrote to memory of 776	1688	cmd.exe	PING.EXE

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:776

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/776-56-0x0000000000000000-mapping.dmp

Download
memory/1688-55-0x0000000000000000-mapping.dmp

Download
memory/1812-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download