fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace

Analysis

max time kernel
85s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 18:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Size

432KB
MD5

50baee9c599a3372da5d5f1efb67b096
SHA1

d106f1291c1f48e29387497bf5380dcc8828f846
SHA256

fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace
SHA512

0514176844d189ed16eca5e35c12781c8aea2c0ef4861af12cbce762c286dd246d26006e28256ac99c18f89902fb52f0af9aaab0aa5fcf5b9bfa7d3d5b8d88b1
SSDEEP

6144:nBF91mW7WdoADYwUdZMPCn4jF9GZtMtGOkq84BVMfj:l1mteWZcMPY4jFAZxhq84BVML

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe:*:Enabled:@xpsp2res.dll,-22019"	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 816 set thread context of 964	816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	27
PID 964 set thread context of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeAuditPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeBackupPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeChangeNotifyPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeCreatePagefilePrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeCreatePermanentPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeCreatePermanentPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeCreateTokenPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeIncBasePriorityPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeIncreaseQuotaPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeLoadDriverPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeLockMemoryPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeMachineAccountPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeProfSingleProcessPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeRemoteShutdownPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeRestorePrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeSecurityPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeShutdownPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeSystemEnvironmentPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeSystemProfilePrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeSystemtimePrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeTakeOwnershipPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeTcbPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
Token: SeDebugPrivilege	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 964	816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	27
PID 816 wrote to memory of 964	816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	27
PID 816 wrote to memory of 964	816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	27
PID 816 wrote to memory of 964	816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	27
PID 816 wrote to memory of 964	816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	27
PID 816 wrote to memory of 964	816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	27
PID 816 wrote to memory of 964	816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	27
PID 816 wrote to memory of 964	816	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	27
PID 964 wrote to memory of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28
PID 964 wrote to memory of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28
PID 964 wrote to memory of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28
PID 964 wrote to memory of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28
PID 964 wrote to memory of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28
PID 964 wrote to memory of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28
PID 964 wrote to memory of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28
PID 964 wrote to memory of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28
PID 964 wrote to memory of 10044	964	fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe	28

C:\Users\Admin\AppData\Local\Temp\fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
"C:\Users\Admin\AppData\Local\Temp\fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
  C:\Users\Admin\AppData\Local\Temp\fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
  2⤵
  - Modifies firewall policy service
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe
    C:\Users\Admin\AppData\Local\Temp\fbe3a7a59fa313814fceb7d94e14e8be5a6959ccb34a54e0f8d25228293dbace.exe -f
    3⤵
    PID:10044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-81-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/964-82-0x0000000000330000-0x000000000037D000-memory.dmp

Filesize
308KB

Download
memory/964-83-0x0000000000240000-0x0000000000264000-memory.dmp

Filesize
144KB

Download
memory/964-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/964-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/964-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/964-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/964-69-0x0000000000240000-0x000000000025E000-memory.dmp

Filesize
120KB

Download
memory/964-70-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/964-71-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/964-72-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/964-73-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/964-74-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/964-76-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/964-75-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/964-77-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/964-78-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/964-79-0x00000000025C0000-0x0000000002689000-memory.dmp

Filesize
804KB

Download
memory/964-80-0x0000000000240000-0x000000000025E000-memory.dmp

Filesize
120KB

Download
memory/964-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/964-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/964-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/964-84-0x00000000025C0000-0x0000000002666000-memory.dmp

Filesize
664KB

Download
memory/964-85-0x0000000000240000-0x000000000024B000-memory.dmp

Filesize
44KB

Download
memory/964-86-0x0000000000330000-0x0000000000361000-memory.dmp

Filesize
196KB

Download
memory/964-87-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/964-88-0x0000000000330000-0x000000000039B000-memory.dmp

Filesize
428KB

Download
memory/964-89-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/964-90-0x00000000025C0000-0x0000000002659000-memory.dmp

Filesize
612KB

Download
memory/964-91-0x0000000000330000-0x00000000003A1000-memory.dmp

Filesize
452KB

Download
memory/964-92-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/964-104-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/964-99-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/10044-96-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/10044-94-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/10044-97-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/10044-100-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/10044-103-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/10044-93-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/10044-105-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download