667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-12-2022 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
Size

22KB
MD5

3ab1a46fb93efbf7bcc225b3acb26681
SHA1

621516608f11fb501fe76a99670621e74e01a57a
SHA256

667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf
SHA512

05bda3a57e51535e6572cc124387baf181af2d3be60766e1f3c3188be98ff8242d159e68e4aa74eda6f9060b1f597ebe24b4cabb649aba0ac10481583550907e
SSDEEP

192:+MCSkeJmOat/+Lec8HuPu5PFfuSUYFCh5H4H5sD3SCq5XD4aZI+FSVlUFFKi/wzc:mVOaerRPubuBPHTSC0XEaNS/UFFKi/p

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe

Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1788	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	29
PID 2044 wrote to memory of 1788	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	29
PID 2044 wrote to memory of 1788	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	29
PID 1788 wrote to memory of 1764	1788	cmd.exe	30
PID 1788 wrote to memory of 1764	1788	cmd.exe	30
PID 1788 wrote to memory of 1764	1788	cmd.exe	30
PID 1764 wrote to memory of 1740	1764	net.exe	31
PID 1764 wrote to memory of 1740	1764	net.exe	31
PID 1764 wrote to memory of 1740	1764	net.exe	31
PID 2044 wrote to memory of 1176	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	32
PID 2044 wrote to memory of 1176	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	32
PID 2044 wrote to memory of 1176	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	32
PID 2044 wrote to memory of 1340	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	33
PID 2044 wrote to memory of 1340	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	33
PID 2044 wrote to memory of 1340	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	33

C:\Users\Admin\AppData\Local\Temp\667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
"C:\Users\Admin\AppData\Local\Temp\667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user 123456
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\net.exe
    net user 123456
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user 123456
      4⤵
      PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-57-0x0000000000000000-mapping.dmp

Download
memory/1340-58-0x0000000000000000-mapping.dmp

Download
memory/1740-56-0x0000000000000000-mapping.dmp

Download
memory/1764-55-0x0000000000000000-mapping.dmp

Download
memory/1788-54-0x0000000000000000-mapping.dmp

Download