7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3

Analysis

max time kernel
291s
max time network
362s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 23:18

Target

7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe
Size

972KB
MD5

7e6204584c0ae455836d2d9733a32b70
SHA1

3bc0e6cd46ecba671b305c293eb4874cc392844b
SHA256

7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3
SHA512

ffd13b1ab3ffa691db025d21a28cc5b6a0ad707262bee93244a00ea4760938cb489a93defe7b0507ca04fa2ca45b5df01f85c91e8cc4563e4ff1d8594f89d82c
SSDEEP

12288:npZ7RqTHG1GtRmjWjRlgivK2YyUxUi2MOOpnjuNIOHeOPYxYIswU6fsDukauZHc6:f7YTmhUlV4xUlOJjuN5HeU+hXJetGj

Score

6^/10

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe

description ioc process

File opened for modification \??\PhysicalDrive0 7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1844 PING.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe

pid	process
1844	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.execmd.exe

description	pid	process	target process
PID 4140 wrote to memory of 704	4140	7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe	cmd.exe
PID 4140 wrote to memory of 704	4140	7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe	cmd.exe
PID 4140 wrote to memory of 704	4140	7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe	cmd.exe
PID 704 wrote to memory of 1844	704	cmd.exe	PING.EXE
PID 704 wrote to memory of 1844	704	cmd.exe	PING.EXE
PID 704 wrote to memory of 1844	704	cmd.exe	PING.EXE

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\7cf276d9e1296de849166878c2af0ffcad34d555f126533a06be4522357d05c3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1844

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact