7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9

Analysis

max time kernel
135s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 11:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Size

326KB
MD5

5a5b3128a7f9fd3d8a1e38174c3fe6b6
SHA1

4102d5be0e849ffc01ea2025a7f4974d2f65462a
SHA256

7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9
SHA512

431d9a4f9038121c5f3894a086f6034d50ae1555431e2853b2552450fed52367cdfd6ae957bd61ccade3d03c39b11542da30cd353a4abfb15381bef15e8163a5
SSDEEP

6144:tMnZbt16uJsVjJmBijCaL0vg7sKJAe/KcHTnIUBE1ZB+whCOW6/emJdUeRclXeN2:tMnht16uJsVjJmBijCaL0vg7sKJAe/Kk

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeCreateTokenPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeAssignPrimaryTokenPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeLockMemoryPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeIncreaseQuotaPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeMachineAccountPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeTcbPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeSecurityPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeTakeOwnershipPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeLoadDriverPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeSystemProfilePrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeSystemtimePrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeProfSingleProcessPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeIncBasePriorityPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeCreatePagefilePrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeCreatePermanentPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeBackupPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeRestorePrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeShutdownPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeDebugPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeAuditPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeSystemEnvironmentPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeChangeNotifyPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeRemoteShutdownPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeUndockPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeSyncAgentPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeEnableDelegationPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeManageVolumePrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeImpersonatePrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: SeCreateGlobalPrivilege	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: 31	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: 32	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: 33	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: 34	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: 35	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
Token: 36	3924	7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe

C:\Users\Admin\AppData\Local\Temp\7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe
"C:\Users\Admin\AppData\Local\Temp\7f255e49f7029e32ec4c499ecffda9c64eb2f68f51256a9410c40d20f314aae9.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads