9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162

Analysis

max time kernel
229s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe
Size

210KB
MD5

12ef3d9130eff317e91e29fcb9404d9e
SHA1

ccd65ba707b5018ef01c1903e24543fb8ca4d86d
SHA256

9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162
SHA512

700335afebb13286724418a1304819e1a312a78c0ed18d3d1e156ca2d710f4fe979f08ef114b239ad3564adbb94790a513cd0b0b24b805f06b929a11562ca42b
SSDEEP

6144:kOYhHKkXm0Pw0DYws3ZcDOQKN8Q2ZGStb:/+HKk20w3wKWvb

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 560	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe	28
PID 1972 set thread context of 0	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 560	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe	28
PID 1972 wrote to memory of 560	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe	28
PID 1972 wrote to memory of 560	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe	28
PID 1972 wrote to memory of 560	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe	28
PID 1972 wrote to memory of 560	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe	28
PID 1972 wrote to memory of 560	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe	28
PID 1972 wrote to memory of 560	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe	28
PID 1972 wrote to memory of 560	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe	28
PID 1972 wrote to memory of 0	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe
PID 1972 wrote to memory of 0	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe
PID 1972 wrote to memory of 0	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe
PID 1972 wrote to memory of 0	1972	9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe

C:\Users\Admin\AppData\Local\Temp\9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe
"C:\Users\Admin\AppData\Local\Temp\9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe
  "C:\Users\Admin\AppData\Local\Temp\9e28afe5b53da58aefc26e23eb600de4828acf4d7b42b8ade6ab34b6a9724162.exe"
  2⤵
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/0-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/560-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/560-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/560-66-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/560-67-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1972-54-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1972-61-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1972-62-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/1972-63-0x0000000000370000-0x00000000003D3000-memory.dmp

Filesize
396KB

Download
memory/1972-65-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download