bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897

Analysis

max time kernel
154s
max time network
57s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
Size

173KB
MD5

af00299bf00dce2fe6dc4e1905fbfde1
SHA1

660f4f8fbeccda255fd261ee438941ba830da273
SHA256

bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897
SHA512

8a649a9e9e8bac3c88f76ce19e9d69bc563f2574063594eaddcabc4269ba8a89f5592a84d0d24a78821aed55d947eb2bb02d345d89e0637deaa9bbe1e5feccb6
SSDEEP

3072:wXLyy4bRXNujFqRlWRkNpZHPImtS5Es2K9Tbw9yDxh1OwMIP6LlcHD:kHI6qRlsk7BPXS5Es2ATbwifZNPulcHD

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
File opened for modification	\??\PhysicalDrive0	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
File opened for modification	\??\PhysicalDrive0	BC4693~1.EXE

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	BC4693~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	BC4693~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	BC4693~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1056	1712	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe	29
PID 1712 wrote to memory of 1056	1712	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe	29
PID 1712 wrote to memory of 1056	1712	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe	29
PID 1712 wrote to memory of 1056	1712	bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe	29

C:\Users\Admin\AppData\Local\Temp\bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
"C:\Users\Admin\AppData\Local\Temp\bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:1772

C:\Users\Admin\AppData\Local\Temp\bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
C:\Users\Admin\AppData\Local\Temp\bc46936a4ea1c2c8d11553d92bdf4e3c5454cff4b02b7c786ce30a6105452897.exe
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\BC4693~1.EXE
  C:\Users\Admin\AppData\Local\Temp\BC4693~1.EXE
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-66-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/1056-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-62-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/1712-61-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-63-0x0000000001470000-0x00000000014A5000-memory.dmp

Filesize
212KB

Download
memory/1712-64-0x0000000001470000-0x00000000014A5000-memory.dmp

Filesize
212KB

Download
memory/1772-57-0x0000000000880000-0x0000000000884000-memory.dmp

Filesize
16KB

Download
memory/1772-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1772-56-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1772-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1772-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1772-68-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download