b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63

Analysis

max time kernel
166s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.exe
Size

254KB
MD5

c261ff4633ee4c59a4c5662e500caf95
SHA1

7ddbd3ec2037ca868177461da4fcc4ea6681f17d
SHA256

b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63
SHA512

63a952a9bddbcf9929fb1bb4d2b1cba31abb3e00c9ecf7acb13f81e92ce31eb6076a11236de29f31fb3c414aa0ef285204428111fef06dc03cd453b4bf142588
SSDEEP

6144:re5lGjK/hsU8jNbCUy8pi8x04DRoctwv/hXIhBaRfkQ6w:K5lGjFjJCUnX0ijtch4wM9w

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4528	regsvr32.exe
4528	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4268	b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 4528	4268	b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.exe	82
PID 4268 wrote to memory of 4528	4268	b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.exe	82
PID 4268 wrote to memory of 4528	4268	b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.exe	82

C:\Users\Admin\AppData\Local\Temp\b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.exe
"C:\Users\Admin\AppData\Local\Temp\b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.dll"
  2⤵
  - Loads dropped DLL
  PID:4528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.dll

Filesize
254KB

MD5
0cae6f63de4f5e112b24b26603a2018a

SHA1
f2e379651a2ee065ee2c47c252ed2c3fe272fea1

SHA256
51b8f21e3edc1eee4b29de3aceeabca5a57d3e75a911e88d98dc7b221e2740f6

SHA512
eb6813eb32da05003de7e12ef3c901d1503e6dd706162af9d219603ee3a143a56f9f2b3bec2fe5da9e61bdd0343b0932af86ff2df38f6a887a26d08b5ccac606

Download Submit
C:\Users\Admin\AppData\Local\Temp\b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.dll

Filesize
254KB

MD5
0cae6f63de4f5e112b24b26603a2018a

SHA1
f2e379651a2ee065ee2c47c252ed2c3fe272fea1

SHA256
51b8f21e3edc1eee4b29de3aceeabca5a57d3e75a911e88d98dc7b221e2740f6

SHA512
eb6813eb32da05003de7e12ef3c901d1503e6dd706162af9d219603ee3a143a56f9f2b3bec2fe5da9e61bdd0343b0932af86ff2df38f6a887a26d08b5ccac606

Download Submit
C:\Users\Admin\AppData\Local\Temp\b85e4f77fd1aef89e77152bc9c414695ae57f574848636b42e02bf24c425fd63.dll

Filesize
254KB

MD5
0cae6f63de4f5e112b24b26603a2018a

SHA1
f2e379651a2ee065ee2c47c252ed2c3fe272fea1

SHA256
51b8f21e3edc1eee4b29de3aceeabca5a57d3e75a911e88d98dc7b221e2740f6

SHA512
eb6813eb32da05003de7e12ef3c901d1503e6dd706162af9d219603ee3a143a56f9f2b3bec2fe5da9e61bdd0343b0932af86ff2df38f6a887a26d08b5ccac606

Download Submit
memory/4268-135-0x0000000000690000-0x0000000000702000-memory.dmp

Filesize
456KB

Download
memory/4268-132-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4268-134-0x0000000000690000-0x0000000000702000-memory.dmp

Filesize
456KB

Download
memory/4268-133-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4528-136-0x0000000000000000-mapping.dmp

Download
memory/4528-140-0x0000000002A40000-0x0000000002AB6000-memory.dmp

Filesize
472KB

Download
memory/4528-141-0x0000000002A40000-0x0000000002AB6000-memory.dmp

Filesize
472KB

Download
memory/4528-142-0x0000000002A40000-0x0000000002AB6000-memory.dmp

Filesize
472KB

Download
memory/4528-143-0x0000000002AD0000-0x0000000002B42000-memory.dmp

Filesize
456KB

Download
memory/4528-144-0x0000000002AD0000-0x0000000002B42000-memory.dmp

Filesize
456KB

Download