5fb13ca81e31732ed149d18f2e7cedda0ca2cfa8962cfce3ffea6acbbdf5d403

Analysis

max time kernel
190s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wenminggd_sl.exe
Size

1.2MB
MD5

ef6a20847627d443f906f0cbb3f4c1b4
SHA1

836a2433a7e36db59ecab3de9c39bac9e36ca6f8
SHA256

14fa59defe7e2c25cfa52bcab6e5ef6b635882aeafbe4a9f86215d363978594e
SHA512

c1d9f4ec29c28bce2a5488aca5eb3e2120e1bf9499819832195c360423ee1e535889f958d4e43fa2981a5d9767bd446df498090f2ffb24b453c9166a40d8da8f
SSDEEP

24576:vp5UAiLo6HPk0aBTN+YMV1Vx6AGOqfIe7VKG3u:v4SF0sBM1VyOq7KR

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

wenminggd_sl.exe

description ioc process

File opened for modification \??\PhysicalDrive0 wenminggd_sl.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	wenminggd_sl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wenminggd_sl.exe

description	pid	process
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe
Token: 33	4648	wenminggd_sl.exe
Token: SeIncBasePriorityPrivilege	4648	wenminggd_sl.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

wenminggd_sl.exe

pid process

4648 wenminggd_sl.exe
4648 wenminggd_sl.exe
4648 wenminggd_sl.exe

pid	process
4648	wenminggd_sl.exe
4648	wenminggd_sl.exe
4648	wenminggd_sl.exe

C:\Users\Admin\AppData\Local\Temp\wenminggd_sl.exe
"C:\Users\Admin\AppData\Local\Temp\wenminggd_sl.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads