Overview

overview

7

Static

static

7

3edb328be5...41.exe

windows7-x64

3edb328be5...41.exe

windows10-2004-x64

Analysis

  • max time kernel
    14s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-06-2023 19:12

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe

  • Size

    2.4MB

  • MD5

    3bb2b1c4254e25f4e1ef4aed9308b870

  • SHA1

    493504127b9cf900b48a3291109a267033521b2a

  • SHA256

    3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341

  • SHA512

    73a4f5d7208860fc031bb674135c54b6f811d9e8b5dc608bbbcaddb448f037f49a47fb14ad7acd649b715bc7aadedcf4ba9765580d756f29a417b854678091ee

  • SSDEEP

    49152:wTM4SOLo3LIX4SlVR9mPU+dOoNSkabUOjaehq4CbVc3nLvu78Rb/4Vg:wTM4SOLc24E8M+G/h+ecH5cXjuYRb/4

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe
    "C:\Users\Admin\AppData\Local\Temp\3edb328be542257dafc2ff1d4c726b602abf9ae87af8e82712c74df90202f341.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c wmic path Win32_ComputerSystemProduct get uuid /value
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path Win32_ComputerSystemProduct get uuid /value
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:988
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1896
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1420
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:1376

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Bootkit

        1
        T1067

        Privilege Escalation

        Defense Evasion

        Install Root Certificate

        1
        T1130

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1896-64-0x00000000027C0000-0x00000000027C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2008-54-0x0000000000400000-0x0000000000744000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2008-55-0x0000000000400000-0x0000000000744000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2008-56-0x0000000000400000-0x0000000000744000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2008-57-0x0000000000400000-0x0000000000744000-memory.dmp
          Filesize

          3.3MB

          Download