36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39

Analysis

max time kernel
90s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe
Size

4.3MB
MD5

7e4e3d0fd5077c6136e2ae770c05eeee
SHA1

fbf002daca010bee8cd111155040a5b7f6415508
SHA256

36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39
SHA512

e9cd9604f8a0e1b270a8f5973e6492428e7cda7bdf77cbbde0e7836f2a241c72b105074ce131e958da680e2a2e76d7c964cfff7251feb11a0f74d4c88731bcea
SSDEEP

98304:ortgZjSDBQuCDcZgJG4qLceztSHdC6bPmj4mrChPyNbfHxbOH/h5vVQ4K/i47uKL:BVQlk4UFFE

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
444	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system\GetVarPtr.dll	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe
File created	C:\Windows\system\Smartvsd.vxd	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe
File created	C:\Windows\SYSTEM\IOSUBSYS\Smartvsd.vxd	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
444	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe
444	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe
444	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe
444	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe
444	36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe

C:\Users\Admin\AppData\Local\Temp\36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe
"C:\Users\Admin\AppData\Local\Temp\36c7c8639744ed23ca7bff840c7dfc0ef1fdbc7694e25691de202080c825dd39.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GetVarPtr.dll

Filesize
5KB

MD5
a6a3f9773cd5be8a8efdd4c12c2fdedd

SHA1
9ee0f06bc9f490d4ee52ddda739a594cc3e86071

SHA256
b8f68576d6845c0ffd201099885149c6285b6bc9dedae0420c5601e6b37cc405

SHA512
bf88b3fda9978383683615fe611aa5add0550fde223a6505485d7dd92c75c01606c5d29bd454619bebfc273cb274eecaaddad29b878b6dbe3aaede2f31b32b5c

Download Submit
memory/444-133-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download