c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
Size

406KB
MD5

9c3d25a355e7a7278d865e89f1a46468
SHA1

c55c2490a40b4084352a6f9bc465c4d838d281b7
SHA256

c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4
SHA512

17ad171fd300b4d0a4e853942ac0fe9925cab1978254f19ccc5e397d3c795d1f02762c1893b4665f8f455882d27cb2cf52a7027da645e7b4d640948e7866be44
SSDEEP

12288:PRksbZaslyiNuCrHqfk3fVyLmg/Tf2LHrT:PR7bCcuUqfkvELT0T

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1464	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 948	1464	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	26
PID 1464 wrote to memory of 948	1464	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	26
PID 1464 wrote to memory of 948	1464	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	26
PID 1464 wrote to memory of 948	1464	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	26
PID 1464 wrote to memory of 948	1464	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	26
PID 1464 wrote to memory of 948	1464	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	26
PID 1464 wrote to memory of 948	1464	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	26
PID 1464 wrote to memory of 948	1464	c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe	26

C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
"C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe
  "C:\Users\Admin\AppData\Local\Temp\c74f778cbc9bbd030a611927e8a4b43ffbc91b9d595c0c6dd27674601657e7c4.exe"
  2⤵
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1464-56-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1464-57-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1464-58-0x0000000001EC0000-0x0000000001EC6000-memory.dmp

Filesize
24KB

Download