Overview

overview

8

Static

static

3

ntokrnl.exe

windows7-x64

1

ntokrnl.exe

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

  • Target

    ntokrnl.exe

  • Size

    7.8MB

  • Sample

    230702-x3ndyadc84

  • MD5

    42f0acea7cd4c2a935f4ac3c0992b337

  • SHA1

    2b481218208f8d8f25d8ed6ccffcedff76e6489b

  • SHA256

    1ba6c7403902ed98b7f9b0729720633a0993c7d3a80774a7f9e6b7ad43c6d470

  • SHA512

    c9d54b9676f6ba2ba6def8e89e633322bbc8807c59717014dcf9f84ec526be901e188681066685b4875f7cf22d5f21a03c7edd012186163f6f4b77947ea75430

  • SSDEEP

    196608:ZrMldQmRJ8dA6loVCy1ArqkVpKCX+PrF4ZIeghQsTF2MJh:FcdQusloVrAZYCuPJOIeg5QW

Score
8/10
persistencepyinstaller

Malware Config

Targets

    • Target

      ntokrnl.exe

    • Size

      7.8MB

    • MD5

      42f0acea7cd4c2a935f4ac3c0992b337

    • SHA1

      2b481218208f8d8f25d8ed6ccffcedff76e6489b

    • SHA256

      1ba6c7403902ed98b7f9b0729720633a0993c7d3a80774a7f9e6b7ad43c6d470

    • SHA512

      c9d54b9676f6ba2ba6def8e89e633322bbc8807c59717014dcf9f84ec526be901e188681066685b4875f7cf22d5f21a03c7edd012186163f6f4b77947ea75430

    • SSDEEP

      196608:ZrMldQmRJ8dA6loVCy1ArqkVpKCX+PrF4ZIeghQsTF2MJh:FcdQusloVrAZYCuPJOIeg5QW

    Score
    8/10
    persistence

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks