4943d53a38ac123ed7c04ad44742a67ea06bb54ea02fa241d9c4ebadab4cb99a

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/08/2023, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fe588f524664a352fd9c2f5efc2e66b.exe
Size

9.4MB
MD5

0fe588f524664a352fd9c2f5efc2e66b
SHA1

b92b15995dae030110e62f576075073e4a6436b3
SHA256

4943d53a38ac123ed7c04ad44742a67ea06bb54ea02fa241d9c4ebadab4cb99a
SHA512

75cdf6e1cdcbe3d2baa79b0e957ad837c7de0b00d954c2c15713aae624f24d94c981804ee6f79888276b11b891841a61272624daffa392db454f88b303836def
SSDEEP

98304:m78+6nAoMji8TlWPUJlCSIz6xRROC9zDv5uHeumm4hw63i:wKAoSD5xRN5uHevS

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\YouMiIp2.sys	0fe588f524664a352fd9c2f5efc2e66b.exe
File created	C:\Windows\system32\drivers\ProcTraceVM.sys	0fe588f524664a352fd9c2f5efc2e66b.exe

Loads dropped DLL 2 IoCs

pid	Process
1180	0fe588f524664a352fd9c2f5efc2e66b.exe
1180	0fe588f524664a352fd9c2f5efc2e66b.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0fe588f524664a352fd9c2f5efc2e66b.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	0fe588f524664a352fd9c2f5efc2e66b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1180	0fe588f524664a352fd9c2f5efc2e66b.exe
1180	0fe588f524664a352fd9c2f5efc2e66b.exe
1180	0fe588f524664a352fd9c2f5efc2e66b.exe

C:\Users\Admin\AppData\Local\Temp\0fe588f524664a352fd9c2f5efc2e66b.exe
"C:\Users\Admin\AppData\Local\Temp\0fe588f524664a352fd9c2f5efc2e66b.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\YouMiIpNFsdk4.dll

Filesize
5.6MB

MD5
5a5b92b34ae2f82f90ea5ce1964df9bf

SHA1
32a0ff07dfd31931ec90b74dd7a4594d640645ed

SHA256
5d11d947fc1f9b5af5b6f5c8c10c9e68ee2001dfda8b0bf950163d145b664672

SHA512
38b199074e5d403a001a77614335205ff0809a921302bdba3358e089d52a77666f6657507321b5581efca827ded32f5af35bd0165f528a7d1e412f20ebc10f8d

Download Submit
\Users\Admin\AppData\Local\Temp\nfapi.dll

Filesize
185KB

MD5
37c11d2ef302de16c4b9de8827950e2d

SHA1
10c7038d5e8cfe72e78f1d2b8c88b9f83fd5ca12

SHA256
8d0edd3d4718567bea1cc47c5efd9e738ecffe9e75b62ada9a6f43a82e0dc1fd

SHA512
2c77573fc1553fa796247cc20603ee7aa8c35192b97927f07c89c477f501ab0af2a7766ace6a8c2cea8240d309a53b56ae6f4ec10d7d32cc494ad0c1145fbb57

Download Submit
memory/1180-65-0x0000000039560000-0x00000000395C2000-memory.dmp

Filesize
392KB

Download
memory/1180-68-0x0000000074240000-0x0000000074821000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads