Overview

overview

7

Static

static

7

Qemu启动...��.exe

windows7-x64

6

Qemu启动...��.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2023 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Qemu启动测试器.exe

  • Size

    3.0MB

  • MD5

    017e84bf04407f1282cdd3e472f0e69c

  • SHA1

    208e776f2138c2f29394916bf8cc091745dfbccd

  • SHA256

    bd231c53660f048d52e57262995e2df144262050a7f0d250b0e15ed192a75691

  • SHA512

    c002ecb88992cf8e3246d1fe229cd8381f9e1aef22e6090c1fae5f5aaef778afed0c858115aaf671459b23a5eacbd7223064bf33af105e4ac67a6a16979ca7f4

  • SSDEEP

    49152:b8ep2+XDhj2hKdu1SRuX6VFm7N++3HqXz2gTf1iwyJPw5j32Zw59k:bJ2+Xd6ME625yD8xBC3249k

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Qemu启动测试器.exe
    "C:\Users\Admin\AppData\Local\Temp\Qemu启动测试器.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1736-134-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-135-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-133-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-136-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-179-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-180-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-181-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-182-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-183-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-184-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-185-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-186-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-187-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-188-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-189-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-190-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-191-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-192-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1736-193-0x0000000000400000-0x0000000000768000-memory.dmp
    Filesize

    3.4MB

    Download