e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1

Analysis

max time kernel
16s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1.exe
Size

197KB
MD5

601ecd7a86b55d24ef1eadbfe4739e10
SHA1

0127c16510752edc5291d06493d20884305100cb
SHA256

e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1
SHA512

fe0320fe484be77d14631fa30658416d4472ed988f9627d5d42af8f4a607dd1246fbd496325ebbd9e8dc6a84fabcb4fdc165cd3786334cf06859403e3ac46c4e
SSDEEP

6144:YX5uh9dAf1qhH+8ieKAdOKyT3VvQxZr1N13CVyCXpQxlU:S4XAiQTh0Z5N1y/ZoU

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
888	1348	WerFault.exe	22

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 888	1348	e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1.exe	28
PID 1348 wrote to memory of 888	1348	e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1.exe	28
PID 1348 wrote to memory of 888	1348	e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1.exe	28
PID 1348 wrote to memory of 888	1348	e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1.exe	28

C:\Users\Admin\AppData\Local\Temp\e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1.exe
"C:\Users\Admin\AppData\Local\Temp\e0c9679691bc31433764a735d5513b3332435aa34f95598a6a7716620376eba1.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 296
  2⤵
  - Program crash
  PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-56-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1348-55-0x00000000012E0000-0x000000000143A000-memory.dmp

Filesize
1.4MB

Download