Analysis
-
max time kernel
190s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 19:38
Static task
static1
Behavioral task
behavioral1
Sample
bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe
Resource
win10v2004-20221111-en
General
-
Target
bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe
-
Size
421KB
-
MD5
2191b9f9105f24232a91c030ee843f95
-
SHA1
a6edb3ce6f9f0b07c7786c301710ce78007fb094
-
SHA256
bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad
-
SHA512
96d617a464ae965d6aa21a0c68c92fbfb390f778fdf13d947174f07cfc0db5159e783ede9f92146429be586d62dae17d4ad67c01ce5f423a80fce79f2406fbbc
-
SSDEEP
12288:hEfrpWmQBXPi7+eoJ75WTE4DQFu/U3buRKlemZ9DnGAeduu+fz6h4C:WjpWmQZPe+4T1uzzk
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exedescription ioc process File opened for modification \??\PhysicalDrive0 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe -
Drops file in System32 directory 1 IoCs
Processes:
bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exedescription ioc process File created C:\Windows\SysWOW64\at.bat bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 5116 sc.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exedescription pid process Token: SeIncBasePriorityPrivilege 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe Token: SeIncBasePriorityPrivilege 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe Token: SeIncBasePriorityPrivilege 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe Token: SeIncBasePriorityPrivilege 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe Token: SeIncBasePriorityPrivilege 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe Token: SeIncBasePriorityPrivilege 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe Token: SeIncBasePriorityPrivilege 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe Token: SeIncBasePriorityPrivilege 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe Token: SeIncBasePriorityPrivilege 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.execmd.exedescription pid process target process PID 1716 wrote to memory of 3332 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe cmd.exe PID 1716 wrote to memory of 3332 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe cmd.exe PID 1716 wrote to memory of 3332 1716 bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe cmd.exe PID 3332 wrote to memory of 5116 3332 cmd.exe sc.exe PID 3332 wrote to memory of 5116 3332 cmd.exe sc.exe PID 3332 wrote to memory of 5116 3332 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe"C:\Users\Admin\AppData\Local\Temp\bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\at.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create Windriversrv32 start= auto displayname= WinDriver32 binpath= "C:\Users\Admin\AppData\Local\Temp\bb07ed5e931d63b1313ce016feb64416343ce724d2744bb458146b54acd5c9ad.exe -start"3⤵
- Launches sc.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\at.batFilesize
203B
MD53f8ce1300bded49117dc3113efee51fd
SHA1b21dba7de37a7b8e4aab582983e4902a775dc2e0
SHA256828d1d44f0def28c4a086dfeaa80895ac777950031e82e9fba21d2fa7fd65786
SHA512964b0f19e52350afeb830a2b30ffb6ec74bd1c42950a499ed447aaf6ab41bdff2a1ac7364d7195c089b623c1e5a73ed17a916131f8fcf767c3da2bbc07f56519
-
memory/3332-132-0x0000000000000000-mapping.dmp
-
memory/5116-134-0x0000000000000000-mapping.dmp