e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6

Resubmissions

03-04-2023 17:17

230403-vtpvasga85 6

03-04-2023 17:14

230403-vr9fxshg7z 6

Analysis

max time kernel
387s
max time network
444s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
03-04-2023 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDFpower (3).exe
Size

1.0MB
MD5

1e2a99ae43d6365148d412b5dfee0e1c
SHA1

33c02d70abb2f1f12a79cfd780d875a94e7fe877
SHA256

e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6
SHA512

d962f2e4bbeee0183a3b75f26ccc6de273c28fe5a191c83c1e4ea6c84c8f70b535273452e05c5e11e4df725cad3054e346ad0b3d98348718a00a350b87a5fa0c
SSDEEP

24576:sWjYtbXSRxqO8m657w6ZBLmkitKqBCjC0PDgM5A6:sW8tbiJVV1BCjB

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

PDFpower (3).exe

description ioc process

File opened for modification \??\PhysicalDrive0 PDFpower (3).exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PDFpower (3).exe

description pid process

Token: SeDebugPrivilege 4296 PDFpower (3).exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	PDFpower (3).exe

description	pid	process
Token: SeDebugPrivilege	4296	PDFpower (3).exe

C:\Users\Admin\AppData\Local\Temp\PDFpower (3).exe
"C:\Users\Admin\AppData\Local\Temp\PDFpower (3).exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4296-116-0x0000000000EA0000-0x0000000000FAC000-memory.dmp

Filesize
1.0MB

Download
memory/4296-117-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/4296-118-0x0000000005B80000-0x0000000005C30000-memory.dmp

Filesize
704KB

Download
memory/4296-119-0x00000000032D0000-0x00000000032DA000-memory.dmp

Filesize
40KB

Download
memory/4296-120-0x00000000063E0000-0x000000000690C000-memory.dmp

Filesize
5.2MB

Download
memory/4296-122-0x000000000AAC0000-0x000000000AB26000-memory.dmp

Filesize
408KB

Download
memory/4296-123-0x000000000ABA0000-0x000000000ABD8000-memory.dmp

Filesize
224KB

Download
memory/4296-126-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/4296-127-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/4296-128-0x0000000005C80000-0x0000000005CA2000-memory.dmp

Filesize
136KB

Download
memory/4296-129-0x000000000BF20000-0x000000000C270000-memory.dmp

Filesize
3.3MB

Download
memory/4296-130-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/4296-131-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/4296-132-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download