cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7

Analysis

max time kernel
87s
max time network
110s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 09:34

Target

cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe
Size

2.5MB
MD5

865155e52d151a3f3f530d43d19f160c
SHA1

09a4adf488637804bf70c70d6fac9056847db83b
SHA256

cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7
SHA512

2131c68a18e7738ccc843a0d46c04ad6b4ef88d14289afabe312f89d879317f46ba20ccca407ad1928f917e0eb0fee1b10c2c220c1c0be5a27312956291e5844
SSDEEP

49152:gqaQM7yo/otJxf4cCfamLrkWjRnXmTgCZjQaCbe1jJ4jK3f6NRCUxKNGd:euogvxf4cCfPLrk2nXmTgCZgbe1l4jKc

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1028 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1172 PING.EXE

pid	process
1028	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe

pid	process
1172	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.execmd.exe

description	pid	process	target process
PID 1204 wrote to memory of 1028	1204	cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe	cmd.exe
PID 1204 wrote to memory of 1028	1204	cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe	cmd.exe
PID 1204 wrote to memory of 1028	1204	cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe	cmd.exe
PID 1204 wrote to memory of 1028	1204	cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe	cmd.exe
PID 1028 wrote to memory of 1172	1028	cmd.exe	PING.EXE
PID 1028 wrote to memory of 1172	1028	cmd.exe	PING.EXE
PID 1028 wrote to memory of 1172	1028	cmd.exe	PING.EXE
PID 1028 wrote to memory of 1172	1028	cmd.exe	PING.EXE

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1172

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1028-55-0x0000000000000000-mapping.dmp

Download
memory/1172-56-0x0000000000000000-mapping.dmp

Download
memory/1204-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download