d246bf0882855ad55ccec52f927637e79456b81de99d3a3aa162944592c65c6a

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d246bf0882855ad55ccec52f927637e79456b81de99d3a3aa162944592c65c6a.exe
Size

4.8MB
MD5

14de2ba1cf32f47e8b687aa0618510f5
SHA1

d7c1103fb6f5946107ebb641aa7c366e70df6028
SHA256

d246bf0882855ad55ccec52f927637e79456b81de99d3a3aa162944592c65c6a
SHA512

be9ba691f87e370908413f0256e98e38249f03abfb1f58c30e49d6bde0958e305a7fdc8d6262967d241200b5e6016888e6511aef7784eebdcb702d4750dacd7a
SSDEEP

98304:TB+7xb6X81owOcMH09z03tJuT5p/fSNnAo4leOm899Tp+QQwm3VVF:l0OXBcM4I3KXSJA1eOm8lQwqV

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	check.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	check.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 3424	4084	d246bf0882855ad55ccec52f927637e79456b81de99d3a3aa162944592c65c6a.exe	85
PID 4084 wrote to memory of 3424	4084	d246bf0882855ad55ccec52f927637e79456b81de99d3a3aa162944592c65c6a.exe	85
PID 4084 wrote to memory of 3424	4084	d246bf0882855ad55ccec52f927637e79456b81de99d3a3aa162944592c65c6a.exe	85
PID 3424 wrote to memory of 1712	3424	cmd.exe	87
PID 3424 wrote to memory of 1712	3424	cmd.exe	87
PID 3424 wrote to memory of 1712	3424	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\d246bf0882855ad55ccec52f927637e79456b81de99d3a3aa162944592c65c6a.exe
"C:\Users\Admin\AppData\Local\Temp\d246bf0882855ad55ccec52f927637e79456b81de99d3a3aa162944592c65c6a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c c:\check.exe -l >c:\hardinfo.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - \??\c:\check.exe
    c:\check.exe -l
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\check.exe

Filesize
125KB

MD5
0aab19e84783fd33bc306bc2059d5b9a

SHA1
1212751e792baeac5930ad6a977b0182af8979aa

SHA256
fe58b427ce661e976fbfde72d7d7baa9be802c803d335b530288f98b0e922f25

SHA512
810ef76affa64e548a695490c819730c5389c2562e3ce2b93d3ae81e08e145788b8d85340985121f3f41089508b9fc96b0a45b0baa1faad0a2bd1205acb40b3e

Download Submit
\??\c:\check.exe

Filesize
125KB

MD5
0aab19e84783fd33bc306bc2059d5b9a

SHA1
1212751e792baeac5930ad6a977b0182af8979aa

SHA256
fe58b427ce661e976fbfde72d7d7baa9be802c803d335b530288f98b0e922f25

SHA512
810ef76affa64e548a695490c819730c5389c2562e3ce2b93d3ae81e08e145788b8d85340985121f3f41089508b9fc96b0a45b0baa1faad0a2bd1205acb40b3e

Download Submit
\??\c:\hardinfo.txt

Filesize
25B

MD5
4c15658305af66783fdf88d9a7708d66

SHA1
8b8b1beb8b53e7ffa5795216d84491db91008f2c

SHA256
35d1a23e82cf560fddd810e360767226ae98ce51207bcb030f530de4a36ddbde

SHA512
90c78da8765c8a31c7c4d0ea0fec16e4f4b66156013973b1fb55e35c6c6d681fddb7e3597633d913a7f58b104a79dfd5cb651ecb281a5e853185c47c1a15d9ea

Download Submit
memory/1712-138-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download