d66e2dc064a613069e80a5b8684577f0174e017141425d3622811c6a97c87e64

Analysis

max time kernel
0s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/06/2023, 08:48

Sharing

Copy URL

Twitter E-mail

Reason

Reading agent response: read tcp 10.127.0.1:53250->10.127.0.84:8000: read: connection reset by peer

Report Analysis Logs

General

Target

05277899.exe
Size

47KB
MD5

c3a434b97481aaeda073a7e47193485e
SHA1

aa9cc9a16e0afd0fbfe03f56a10cca7b718bac28
SHA256

d66e2dc064a613069e80a5b8684577f0174e017141425d3622811c6a97c87e64
SHA512

eb22f24a64527c7412dc4c492cb271b2152d90f0b84606f446c8a4995423708441ba61cc3c87eabda296d598ad128b8e0a6816491e3c297904272cfd412a7dca
SSDEEP

768:9yLqzcQ8zwtHEBbGoaPbs9IKRQ5qo2GLQdJhV4ztOyjg5YCtKO:cLqzcQ5kJxWpKRfzdJaIyjg57K

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	05277899.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1696	05277899.exe

C:\Users\Admin\AppData\Local\Temp\05277899.exe
"C:\Users\Admin\AppData\Local\Temp\05277899.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download