b105701d8452833153625e1c159c9a3787b9d5c99e5cfb24f19522d0ece66820

Analysis

max time kernel
141s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-06-2023 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06458999.exe
Size

47KB
MD5

cdfdb046ce89e2b4667ec83a4b569f05
SHA1

54f192c3dafe359707c01926aa0e5ef6228fa2b5
SHA256

b105701d8452833153625e1c159c9a3787b9d5c99e5cfb24f19522d0ece66820
SHA512

7b3003b9b174adde0f75c53c0c83c9448093de6cf5972f54ded7481292b95021ccb7eb3c5ac66a3fb2f4b6ae96126b132fdf6586b09ea57ca86edf23f1471bf5
SSDEEP

768:Yo9PDgQVGQfJXy7FcK2GLu8mOLq6FrQVSCdDe4bA75kCjPnPaciCs5V3madH:YtGGz7vZKutFSScDY72CjPPac1o7d

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1388-54-0x00000000013C0000-0x00000000013E2000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	06458999.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	06458999.exe

C:\Users\Admin\AppData\Local\Temp\06458999.exe
"C:\Users\Admin\AppData\Local\Temp\06458999.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-54-0x00000000013C0000-0x00000000013E2000-memory.dmp

Filesize
136KB

Download