cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3

Analysis

max time kernel
142s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:10

Target

cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3.exe
Size

1013KB
MD5

641da3fce8817458cd4a661c1d235a8a
SHA1

af77a0a88d4bfe5705b9ba65fb157367ff5e03db
SHA256

cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3
SHA512

e14fffd86972affc2718a65faca8b488e264c0dd3b96e0819c73cbb6a6ccc51546a5beea38f6506db3c83fad2bd1b2098d821fa87a7eebe20989e2225c8793e8
SSDEEP

24576:rEPrVEkNwwouWihUW3cfwspt82U1VTSv:4CMorfb82U1VTSv

Score

6^/10

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4660 PING.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3.exe

pid	process
4660	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3.execmd.exe

description	pid	process	target process
PID 2940 wrote to memory of 4644	2940	cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3.exe	cmd.exe
PID 2940 wrote to memory of 4644	2940	cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3.exe	cmd.exe
PID 2940 wrote to memory of 4644	2940	cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3.exe	cmd.exe
PID 4644 wrote to memory of 4660	4644	cmd.exe	PING.EXE
PID 4644 wrote to memory of 4660	4644	cmd.exe	PING.EXE
PID 4644 wrote to memory of 4660	4644	cmd.exe	PING.EXE

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\cbfbdea26a7168161e525becf3d9b46602e0f4797b5a53017e3184f338dc8cd3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:4660

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact