667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-12-2022 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
Size

22KB
MD5

3ab1a46fb93efbf7bcc225b3acb26681
SHA1

621516608f11fb501fe76a99670621e74e01a57a
SHA256

667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf
SHA512

05bda3a57e51535e6572cc124387baf181af2d3be60766e1f3c3188be98ff8242d159e68e4aa74eda6f9060b1f597ebe24b4cabb649aba0ac10481583550907e
SSDEEP

192:+MCSkeJmOat/+Lec8HuPu5PFfuSUYFCh5H4H5sD3SCq5XD4aZI+FSVlUFFKi/wzc:mVOaerRPubuBPHTSC0XEaNS/UFFKi/p

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe

description ioc process

File opened for modification \??\PhysicalDrive0 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
Runs net.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.execmd.exenet.exe

description	pid	process	target process
PID 2044 wrote to memory of 1788	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	cmd.exe
PID 2044 wrote to memory of 1788	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	cmd.exe
PID 2044 wrote to memory of 1788	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	cmd.exe
PID 1788 wrote to memory of 1764	1788	cmd.exe	net.exe
PID 1788 wrote to memory of 1764	1788	cmd.exe	net.exe
PID 1788 wrote to memory of 1764	1788	cmd.exe	net.exe
PID 1764 wrote to memory of 1740	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1740	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1740	1764	net.exe	net1.exe
PID 2044 wrote to memory of 1176	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	cmd.exe
PID 2044 wrote to memory of 1176	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	cmd.exe
PID 2044 wrote to memory of 1176	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	cmd.exe
PID 2044 wrote to memory of 1340	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	cmd.exe
PID 2044 wrote to memory of 1340	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	cmd.exe
PID 2044 wrote to memory of 1340	2044	667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
"C:\Users\Admin\AppData\Local\Temp\667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user 123456
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\net.exe
net user 123456
3⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 123456
4⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1340

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-57-0x0000000000000000-mapping.dmp

Download
memory/1340-58-0x0000000000000000-mapping.dmp

Download
memory/1740-56-0x0000000000000000-mapping.dmp

Download
memory/1764-55-0x0000000000000000-mapping.dmp

Download
memory/1788-54-0x0000000000000000-mapping.dmp

Download