f7f624d237f1d81858259c1783be9c7a605fe260b22092af064bc91035010fef

Analysis

max time kernel
63s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Holzer.exe
Size

135KB
MD5

c971c68b4e58ccc82802b21ae8488bc7
SHA1

7305f3a0a0a0d489e0bcf664353289f61556de77
SHA256

cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce
SHA512

ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7
SSDEEP

3072:2EYGNIaWY/0kTKxIJXtJ0YCHiQtSetFITTTTTHvvvvvNKB:HN5TKvr9PuKB

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Holzer.exe

Disables Task Manager via registry modification
evasion

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Holzer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	bootcfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\Identifier	bootcfg.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1832	AUDIODG.EXE
Token: 33	1832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1832	AUDIODG.EXE
Token: SeSystemtimePrivilege	1728	Holzer.exe
Token: SeSystemtimePrivilege	1728	Holzer.exe
Token: SeSystemtimePrivilege	1728	Holzer.exe
Token: SeSecurityPrivilege	9664	auditpol.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 9564	1728	Holzer.exe	30
PID 1728 wrote to memory of 9564	1728	Holzer.exe	30
PID 1728 wrote to memory of 9564	1728	Holzer.exe	30
PID 1728 wrote to memory of 9564	1728	Holzer.exe	30
PID 1728 wrote to memory of 9572	1728	Holzer.exe	31
PID 1728 wrote to memory of 9572	1728	Holzer.exe	31
PID 1728 wrote to memory of 9572	1728	Holzer.exe	31
PID 1728 wrote to memory of 9572	1728	Holzer.exe	31
PID 1728 wrote to memory of 9596	1728	Holzer.exe	33
PID 1728 wrote to memory of 9596	1728	Holzer.exe	33
PID 1728 wrote to memory of 9596	1728	Holzer.exe	33
PID 1728 wrote to memory of 9596	1728	Holzer.exe	33
PID 1728 wrote to memory of 9632	1728	Holzer.exe	35
PID 1728 wrote to memory of 9632	1728	Holzer.exe	35
PID 1728 wrote to memory of 9632	1728	Holzer.exe	35
PID 1728 wrote to memory of 9632	1728	Holzer.exe	35
PID 1728 wrote to memory of 9640	1728	Holzer.exe	36
PID 1728 wrote to memory of 9640	1728	Holzer.exe	36
PID 1728 wrote to memory of 9640	1728	Holzer.exe	36
PID 1728 wrote to memory of 9640	1728	Holzer.exe	36
PID 1728 wrote to memory of 9664	1728	Holzer.exe	38
PID 1728 wrote to memory of 9664	1728	Holzer.exe	38
PID 1728 wrote to memory of 9664	1728	Holzer.exe	38
PID 1728 wrote to memory of 9664	1728	Holzer.exe	38
PID 1728 wrote to memory of 9716	1728	Holzer.exe	43
PID 1728 wrote to memory of 9716	1728	Holzer.exe	43
PID 1728 wrote to memory of 9716	1728	Holzer.exe	43
PID 1728 wrote to memory of 9716	1728	Holzer.exe	43
PID 1728 wrote to memory of 9748	1728	Holzer.exe	45
PID 1728 wrote to memory of 9748	1728	Holzer.exe	45
PID 1728 wrote to memory of 9748	1728	Holzer.exe	45
PID 1728 wrote to memory of 9748	1728	Holzer.exe	45

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
9640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Holzer.exe
"C:\Users\Admin\AppData\Local\Temp\Holzer.exe"
1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\AdapterTroubleshooter.exe
  "C:\Windows\System32\AdapterTroubleshooter.exe"
  2⤵
  PID:9564
- C:\Windows\SysWOW64\ARP.EXE
  "C:\Windows\System32\ARP.EXE"
  2⤵
  PID:9572
- C:\Windows\SysWOW64\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  PID:9596
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\System32\AtBroker.exe"
  2⤵
  PID:9632
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe"
  2⤵
  - Views/modifies file attributes
  PID:9640
- C:\Windows\SysWOW64\auditpol.exe
  "C:\Windows\System32\auditpol.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9664
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\System32\autochk.exe"
  2⤵
  PID:9692
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\System32\autoconv.exe"
  2⤵
  PID:9700
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\System32\autofmt.exe"
  2⤵
  PID:9708
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe"
  2⤵
  PID:9716
- C:\Windows\SysWOW64\bootcfg.exe
  "C:\Windows\System32\bootcfg.exe"
  2⤵
  - Checks processor information in registry
  PID:9748
- C:\Windows\SysWOW64\bthudtask.exe
  "C:\Windows\System32\bthudtask.exe"
  2⤵
  PID:9772
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe"
  2⤵
  PID:9796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads