f4c079a88e63c4bea93324f407e2f4fc19c8703f5aa879b6dffb02999e0abdf8

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stonepollp77_jxl.exe
Size

1.5MB
MD5

01208d19840a8122c054dfedb65a9812
SHA1

e969a40f52dc51d781ce56835d0944511adab159
SHA256

b7ed40beb2fc7b523785905804869d193d53acdab7682a97f4a77d6572db187d
SHA512

05ae3da560bdbda1f256ec13b6273c368421292d591a1c751983b3e19447779815ef738711d4d8e774d1755777a1615c3766d565048452bc47ef9706a8829f6a
SSDEEP

24576:89AhZvV6h+Xmt1KvkYgQr6p+pq7v3mC5JvhSv9Q/DKC/Kr/tNWKkNXbpmgc/rMGI:8e1jgZ7vn5bc66LtjkNXggczMP

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

stonepollp77_jxl.exe

pid process

4072 stonepollp77_jxl.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

stonepollp77_jxl.exe

description ioc process

File opened for modification \??\PhysicalDrive0 stonepollp77_jxl.exe

pid	process
4072	stonepollp77_jxl.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	stonepollp77_jxl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

stonepollp77_jxl.exe

description	pid	process
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe
Token: 33	4072	stonepollp77_jxl.exe
Token: SeIncBasePriorityPrivilege	4072	stonepollp77_jxl.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

stonepollp77_jxl.exe

pid process

4072 stonepollp77_jxl.exe
4072 stonepollp77_jxl.exe
4072 stonepollp77_jxl.exe

pid	process
4072	stonepollp77_jxl.exe
4072	stonepollp77_jxl.exe
4072	stonepollp77_jxl.exe

C:\Users\Admin\AppData\Local\Temp\stonepollp77_jxl.exe
"C:\Users\Admin\AppData\Local\Temp\stonepollp77_jxl.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AntiVC.dll

Filesize
232KB

MD5
8319c6405af5d25077f9924a21ae3dd5

SHA1
1bc6a7abfbe93632f286f92effc01fb6bf9a65f3

SHA256
4311e07792323dc276972151a609d4b2f3fd3fbb9504c486009ae0c7e6dde0fd

SHA512
0479b615157c63416ee914e4016d679e8d764b95ebc754011a41c53f936ec92f344e129621f55882d812a4c170e95812aef84190bd03baf9ed422c97a6cb7f61

Download Submit