6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7

Analysis

max time kernel
36s
max time network
80s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:47

Target

6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe
Size

845KB
MD5

dffeb8dae0fb4d2c6bf0fd9d2463b44f
SHA1

23b2e86676e77462f0f5b71bd77c14ffe0ee32b0
SHA256

6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7
SHA512

ec36f20dae2fe0dcc54cf5837edf4c6e568fe502d30cda8894d83e7d502c6046437339bf5cc4de6c03d8277bb78609201e112b78dbda2a930434531d1b340f35
SSDEEP

12288:5HmazRrqCpsZJ/p3FcSHVUFXDq0V6F/EolcjlFgwb4CjHBD9JWqdlzgzJF7ccYFf:lde/oSHVCKhcxFJLlX5pdf

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

900 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe

description ioc process

File opened for modification \??\PhysicalDrive0 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

532 PING.EXE

pid	process
900	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe

pid	process
532	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.execmd.exe

description	pid	process	target process
PID 1380 wrote to memory of 900	1380	6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe	cmd.exe
PID 1380 wrote to memory of 900	1380	6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe	cmd.exe
PID 1380 wrote to memory of 900	1380	6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe	cmd.exe
PID 1380 wrote to memory of 900	1380	6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe	cmd.exe
PID 900 wrote to memory of 532	900	cmd.exe	PING.EXE
PID 900 wrote to memory of 532	900	cmd.exe	PING.EXE
PID 900 wrote to memory of 532	900	cmd.exe	PING.EXE
PID 900 wrote to memory of 532	900	cmd.exe	PING.EXE

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:532

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/532-56-0x0000000000000000-mapping.dmp

Download
memory/900-55-0x0000000000000000-mapping.dmp

Download
memory/1380-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download