aae9a7e95acbbe7ab48ee0d732f2d15866f7794cd7d6415eb68c57124cd40b27 | Triage

Analysis

max time kernel
3s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 13:34

Sharing

Report Analysis Logs

General

Target

free.exe
Size

221KB
MD5

a083918dbf9fe0fe4dd0e4aa553d678f
SHA1

4bf49c54b4d002af3e6d1427a8fe53ba5db7b003
SHA256

aae9a7e95acbbe7ab48ee0d732f2d15866f7794cd7d6415eb68c57124cd40b27
SHA512

17f2fd252b7227557c23bde35f2709dea27f5552b733459d022db99f340fea3151f715dbff5e456ab4d52489f32c9a7496a7576c6b9a077279ed425fae9c9cf0
SSDEEP

3072:E+n3c64/ES9IGjwMmJdwt/h4RB8MBvses058T4GoY46ZbXeFLrGC:n3J279IGjwMYdwVKRB8MlfGohXr

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

free.exe

description ioc process

File opened for modification \??\PhysicalDrive0 free.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

free.exe

description pid process

Token: SeShutdownPrivilege 2376 free.exe

C:\Users\Admin\AppData\Local\Temp\free.exe
"C:\Users\Admin\AppData\Local\Temp\free.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...