Behavioral Report

Analysis

max time kernel
141s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe
Size

860KB
MD5

a82035d58cf5de9a1d7177ebbacbc66f
SHA1

b40ffc1f18aefbc5a91a05d71498091c399b4b2f
SHA256

97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356
SHA512

2644c7cb42b7dba05d8059f10301d4e83477e128cf011122675959259d2f52c8af98a10c181e69b34fedffc75031bd43efa4b473c32c5caa7f9d2354148b546c
SSDEEP

24576:sEhBGLgmagzIXdVZ3fD/X/9KRHOQUiQUmCBRVt:sURljN3D/Y0QUiQUtBR3

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe

description ioc process

File opened for modification \??\PhysicalDrive0 97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe

pid process

1388 97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe

pid	process
1388	97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe

description	pid	process	target process
PID 1388 wrote to memory of 1356	1388	97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe	cmd.exe
PID 1388 wrote to memory of 1356	1388	97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe	cmd.exe
PID 1388 wrote to memory of 1356	1388	97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe	cmd.exe
PID 1388 wrote to memory of 1356	1388	97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe
"C:\Users\Admin\AppData\Local\Temp\97b2ba1c6b87912a0216f180f6549de500e221e519d6630ddfdb31aba6fd2356.exe"
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1Rom.dmp
PID:1356

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

memory/1388-57-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1388-58-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download