347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8

Analysis

max time kernel
74s
max time network
70s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 02:59

Target

347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe
Size

813KB
MD5

7074d498d8cd671b832f20cb359ee790
SHA1

439d53759effe8c775da299fb78812a94cb10899
SHA256

347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8
SHA512

b956c4086d409ca144d2bf51cdf11d3c31555701a7aa240bdaabae4b565b466ea1e798a52b2f6cecae19070e22995b55d859f3d90bf80321404f646f499d9224
SSDEEP

12288:q24Y24N7N7xiiu3C5gkROzUJmka/tB2+udrhq8IWW92wu/BnRT933pRH+004xkTZ:Uz4NZfmkgt1uFNwu/X1z3O9UuNDm

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1084 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe

description ioc process

File opened for modification \??\PhysicalDrive0 347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1756 PING.EXE

pid	process
1084	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe

pid	process
1756	PING.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 1084	1632	347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe	cmd.exe
PID 1632 wrote to memory of 1084	1632	347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe	cmd.exe
PID 1632 wrote to memory of 1084	1632	347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe	cmd.exe
PID 1632 wrote to memory of 1084	1632	347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe	cmd.exe
PID 1084 wrote to memory of 1756	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 1756	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 1756	1084	cmd.exe	PING.EXE
PID 1084 wrote to memory of 1756	1084	cmd.exe	PING.EXE

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1756

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1084-55-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x0000000076301000-0x0000000076303000-memory.dmp

Filesize
8KB

Download
memory/1756-56-0x0000000000000000-mapping.dmp

Download