0de72d0fcb0028f274812d6a096249f7ff54591aab4d4b8a2dbb2a68a225ed38

Analysis

max time kernel
143s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe
Size

8.8MB
MD5

f63fab155ae39a3e59a91a055f5e4418
SHA1

58fdaee032dfaafbad3128484eae75c751f5b4e6
SHA256

c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac
SHA512

d4ebbf67f63cf00b9c7571ac2d28109ffe4ca82c92a1f601261a440fdb3cb762f111fc433ffa6f6a0d9a148f1a9b26ace632562d1f853965335c60a5d446a2bd
SSDEEP

196608:wTGOaN/JahF9zGy5ToY9p5Jyqmfx1EgZt:4GOMA4y7pSv51

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2692	evb4B73.tmp

Loads dropped DLL 1 IoCs

pid	Process
2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	evb4B73.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	evb4B73.tmp

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28
PID 2684 wrote to memory of 2692	2684	c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe	28

C:\Users\Admin\AppData\Local\Temp\c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe
"C:\Users\Admin\AppData\Local\Temp\c4129b796638135f24c7c051eea530a599318d0b664341bf6bbab37c177375ac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\evb4B73.tmp
  "C:\Users\Admin\AppData\Local\Temp\360safe\netmon\360NetRepair.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evb4B73.tmp

Filesize
1KB

MD5
709e0cde358b47c6e4baa7467f7717e2

SHA1
8744cad1d1a7319e73f5184f1e4ae82a779c57d4

SHA256
0754f651e47cb2cba0677b549eb879556fdabb859eace371cb34aa22fee98bf3

SHA512
07d4faed2a7b6d05143b6ba0460511a1b051efe687daa1f37b11016b2ffa00f260dc7bcd5d1bfd4bc802f65c4486e89af023a4aef7670ae117b2de7d658c8075

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb4B73.tmp

Filesize
1KB

MD5
709e0cde358b47c6e4baa7467f7717e2

SHA1
8744cad1d1a7319e73f5184f1e4ae82a779c57d4

SHA256
0754f651e47cb2cba0677b549eb879556fdabb859eace371cb34aa22fee98bf3

SHA512
07d4faed2a7b6d05143b6ba0460511a1b051efe687daa1f37b11016b2ffa00f260dc7bcd5d1bfd4bc802f65c4486e89af023a4aef7670ae117b2de7d658c8075

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb4BB2.tmp

Filesize
1KB

MD5
ebc3f68f547997314ddc6ecdb167e076

SHA1
8db47a776b0bd36a48211ce3cf61cd59641fbef9

SHA256
3fd63ad7d8226e23128e32dbb323672a73e1fbfc05a4ef45ef1c268e2990d305

SHA512
f41786fb4dbc4fae3a07deb4956aa5d85c90dacff71ed76e0e38c1b6712cd43175a7f2715d3cab75e1fb1c834d18fbfa365f158d71f072c522ac2ee132a0f54f

Download Submit
\Users\Admin\AppData\Local\Temp\evb4B73.tmp

Filesize
1KB

MD5
709e0cde358b47c6e4baa7467f7717e2

SHA1
8744cad1d1a7319e73f5184f1e4ae82a779c57d4

SHA256
0754f651e47cb2cba0677b549eb879556fdabb859eace371cb34aa22fee98bf3

SHA512
07d4faed2a7b6d05143b6ba0460511a1b051efe687daa1f37b11016b2ffa00f260dc7bcd5d1bfd4bc802f65c4486e89af023a4aef7670ae117b2de7d658c8075

Download Submit
memory/2684-2-0x00000000773D0000-0x00000000773D1000-memory.dmp

Filesize
4KB

Download
memory/2684-1-0x00000000773D0000-0x00000000773D1000-memory.dmp

Filesize
4KB

Download
memory/2684-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-4-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2684-56-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2684-14-0x0000000005950000-0x000000000599B000-memory.dmp

Filesize
300KB

Download
memory/2684-13-0x0000000005950000-0x000000000599B000-memory.dmp

Filesize
300KB

Download
memory/2692-59-0x00000000026A0000-0x00000000026FA000-memory.dmp

Filesize
360KB

Download
memory/2692-81-0x0000000002B70000-0x0000000002CDB000-memory.dmp

Filesize
1.4MB

Download
memory/2692-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-20-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2692-31-0x00000000773D0000-0x00000000773D1000-memory.dmp

Filesize
4KB

Download
memory/2692-32-0x00000000773D0000-0x00000000773D1000-memory.dmp

Filesize
4KB

Download
memory/2692-33-0x0000000002160000-0x000000000224F000-memory.dmp

Filesize
956KB

Download
memory/2692-38-0x0000000010000000-0x00000000100F1000-memory.dmp

Filesize
964KB

Download
memory/2692-45-0x0000000000790000-0x00000000007D6000-memory.dmp

Filesize
280KB

Download
memory/2692-49-0x0000000000790000-0x00000000007D6000-memory.dmp

Filesize
280KB

Download
memory/2692-54-0x00000000026A0000-0x00000000026FA000-memory.dmp

Filesize
360KB

Download
memory/2692-8-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2692-6-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2692-64-0x0000000002920000-0x0000000002A04000-memory.dmp

Filesize
912KB

Download
memory/2692-69-0x0000000002920000-0x0000000002A04000-memory.dmp

Filesize
912KB

Download
memory/2692-76-0x0000000002B70000-0x0000000002CDB000-memory.dmp

Filesize
1.4MB

Download
memory/2692-75-0x0000000002B70000-0x0000000002CDB000-memory.dmp

Filesize
1.4MB

Download
memory/2692-23-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2692-85-0x00000000030C0000-0x0000000003151000-memory.dmp

Filesize
580KB

Download
memory/2692-90-0x00000000027B0000-0x0000000002807000-memory.dmp

Filesize
348KB

Download
memory/2692-94-0x00000000027B0000-0x0000000002807000-memory.dmp

Filesize
348KB

Download
memory/2692-100-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2692-99-0x00000000030C0000-0x0000000003153000-memory.dmp

Filesize
588KB

Download
memory/2692-108-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2692-113-0x0000000002DE0000-0x0000000002E2B000-memory.dmp

Filesize
300KB

Download
memory/2692-124-0x0000000010000000-0x00000000100F1000-memory.dmp

Filesize
964KB

Download
memory/2692-126-0x0000000005510000-0x0000000005679000-memory.dmp

Filesize
1.4MB

Download
memory/2692-132-0x0000000000790000-0x00000000007D6000-memory.dmp

Filesize
280KB

Download
memory/2692-133-0x00000000026A0000-0x00000000026FA000-memory.dmp

Filesize
360KB

Download
memory/2692-134-0x0000000002920000-0x0000000002A04000-memory.dmp

Filesize
912KB

Download
memory/2692-135-0x0000000002B70000-0x0000000002CDB000-memory.dmp

Filesize
1.4MB

Download
memory/2692-136-0x00000000027B0000-0x0000000002807000-memory.dmp

Filesize
348KB

Download
memory/2692-137-0x00000000030C0000-0x0000000003153000-memory.dmp

Filesize
588KB

Download
memory/2692-148-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2692-149-0x0000000002DE0000-0x0000000002E2B000-memory.dmp

Filesize
300KB

Download
memory/2692-150-0x0000000005510000-0x0000000005679000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads