1564919543f2198637816429f40ef8e829860063588859fce4ed002761205308

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2023, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#~(34$eyqII9V5Y+}{+$.exe
Size

1008KB
MD5

e8659247d28fd7d544cc199033326e73
SHA1

dcd551a8617835b5dabc03c83e7709d6bba2670c
SHA256

1564919543f2198637816429f40ef8e829860063588859fce4ed002761205308
SHA512

e4b6aaee51301a0d5465629236543891bcabff1eb7bd05537cc0b400b801bc2730db5b9e7c1d4163613aeef7ccf67fc835741642b627e2b1ad28b769d85ac988
SSDEEP

24576:2jLRKkP4WChDxuk4JBJ/6ERHywedip4R4IDU5nmVz1W:2jLR3PvKEkoBRRRHyweds4RxU5nmVz1W

Score

8^/10

bootkit persistence vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/5044-132-0x0000000000E00000-0x0000000000FD6000-memory.dmp	vmprotect
behavioral1/memory/5044-133-0x0000000000E00000-0x0000000000FD6000-memory.dmp	vmprotect
behavioral1/memory/5044-134-0x0000000000E00000-0x0000000000FD6000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	#~(34$eyqII9V5Y+}{+$.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4864	1752	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5044	#~(34$eyqII9V5Y+}{+$.exe
5044	#~(34$eyqII9V5Y+}{+$.exe

C:\Users\Admin\AppData\Local\Temp\#~(34$eyqII9V5Y+}{+$.exe
"C:\Users\Admin\AppData\Local\Temp\#~(34$eyqII9V5Y+}{+$.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1752 -ip 1752
1⤵
PID:4820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1752 -s 852
1⤵
- Program crash
PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5044-132-0x0000000000E00000-0x0000000000FD6000-memory.dmp

Filesize
1.8MB

Download
memory/5044-133-0x0000000000E00000-0x0000000000FD6000-memory.dmp

Filesize
1.8MB

Download
memory/5044-134-0x0000000000E00000-0x0000000000FD6000-memory.dmp

Filesize
1.8MB

Download