bacef0c983a1bc1bf5a48cf61ed4397c5b070f824e74e6f9f1aa24cb7f28097b

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2023 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bacef0c983a1bc1bf5a48cf61ed4397c5b070f824e74e6f9f1aa24cb7f28097b.exe
Size

1.4MB
MD5

2a14734eaa048b443d11d2c73ccbc107
SHA1

409d00ad93c2b7037d56bb722ea8c009366be36d
SHA256

bacef0c983a1bc1bf5a48cf61ed4397c5b070f824e74e6f9f1aa24cb7f28097b
SHA512

28d9e9e32845c5402898fa1d6b7c978e9c36f1edb1db093b3eda2d7eceb645f6e74df238c76a178f402b96f9bd1f22fc869c26ca90cdc7258e4fd9598688d6ef
SSDEEP

24576:BuW/ZvmZbl0S8Dg9lm/GosiYce7Kw3miTz6kDpBqSwV50dCWLAPJVk6Rx1:BuW/ZOycvmuPiJSKwWiTz3D+X0kW0PJ5

Score

7^/10

bootkit persistence vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4068-0-0x0000000000400000-0x00000000012F4000-memory.dmp	vmprotect
behavioral2/memory/4068-1-0x0000000000400000-0x00000000012F4000-memory.dmp	vmprotect
behavioral2/memory/4068-15-0x0000000000400000-0x00000000012F4000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bacef0c983a1bc1bf5a48cf61ed4397c5b070f824e74e6f9f1aa24cb7f28097b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4068	bacef0c983a1bc1bf5a48cf61ed4397c5b070f824e74e6f9f1aa24cb7f28097b.exe
4068	bacef0c983a1bc1bf5a48cf61ed4397c5b070f824e74e6f9f1aa24cb7f28097b.exe
4068	bacef0c983a1bc1bf5a48cf61ed4397c5b070f824e74e6f9f1aa24cb7f28097b.exe

C:\Users\Admin\AppData\Local\Temp\bacef0c983a1bc1bf5a48cf61ed4397c5b070f824e74e6f9f1aa24cb7f28097b.exe
"C:\Users\Admin\AppData\Local\Temp\bacef0c983a1bc1bf5a48cf61ed4397c5b070f824e74e6f9f1aa24cb7f28097b.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4068-0-0x0000000000400000-0x00000000012F4000-memory.dmp

Filesize
15.0MB

Download
memory/4068-1-0x0000000000400000-0x00000000012F4000-memory.dmp

Filesize
15.0MB

Download
memory/4068-15-0x0000000000400000-0x00000000012F4000-memory.dmp

Filesize
15.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads