c2e771645fba089da50482f34c738ce3e2151d1fd102cc145d7d72122bf897ee

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Triphenylarsine.exe
Size

125KB
MD5

962068032e7d6fc2fa259d4c3c353f07
SHA1

87e0421776ffd5c542d8b3339b82a056813ad4ac
SHA256

93b7015c3a8fba2336ee4850848b4e34c58b6c8ce3b8c27f634d54f6dac093ad
SHA512

cd05079cb358137ebec7665ded7743422918ef776e2d81c435b52a2a644ba802f492852ede76cecf6b5bc8225d7e208dcae8c637ce35794e951527dc391f4799
SSDEEP

1536:zfule+tm6YLX6D0mieQeEJDDOkPWH3v5yffVwsfbrGGfo5MrsWfG6cdS3Cy18z6V:c3ieQzJnDPWXxyfishfYjbSBo6CM

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Triphenylarsine.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Triphenylarsine.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

292 reg.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Triphenylarsine.exe

pid	process
292	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1044	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1044	AUDIODG.EXE
Token: 33	1044	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1044	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Triphenylarsine.execmd.exe

description	pid	process	target process
PID 1320 wrote to memory of 908	1320	Triphenylarsine.exe	cmd.exe
PID 1320 wrote to memory of 908	1320	Triphenylarsine.exe	cmd.exe
PID 1320 wrote to memory of 908	1320	Triphenylarsine.exe	cmd.exe
PID 1320 wrote to memory of 908	1320	Triphenylarsine.exe	cmd.exe
PID 908 wrote to memory of 292	908	cmd.exe	reg.exe
PID 908 wrote to memory of 292	908	cmd.exe	reg.exe
PID 908 wrote to memory of 292	908	cmd.exe	reg.exe
PID 908 wrote to memory of 292	908	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Triphenylarsine.exe
"C:\Users\Admin\AppData\Local\Temp\Triphenylarsine.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\reg.exe
REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
3⤵
- Modifies registry key
PID:292

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads