Overview

overview

8

Static

static

3

9882f4e0b1...22.exe

windows7-x64

9882f4e0b1...22.exe

windows10-2004-x64

Analysis

  • max time kernel
    5s
  • max time network
    7s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    07/10/2023, 06:54

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe

  • Size

    744KB

  • MD5

    bcbd139349f71c511ce0760279b1a094

  • SHA1

    cb0ce2640bd02cadbaf8970e496fabb133eb325c

  • SHA256

    9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722

  • SHA512

    9b4c9a31387cbd802cd4de6e1e23e8f937f66284ed5dcc515999ac2e1d28b51692a63d26cc2628964b6414a2187afb7a67fd7380c028777e3b3b142b10923832

  • SSDEEP

    12288:xYJx0jKaBhqIflDmOSXDl1IfZXxqzWBL:xYJxqK0hdFjSTbIf1xqzW

Score
8/10
bootkitevasionpersistence

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Kills process with taskkill 7 IoCs
    evasion
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe
    "C:\Users\Admin\AppData\Local\Temp\9882f4e0b1f0e5077870b39437a7d4260d6ffeefe6229291972cf5127a1e3722.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im kavsvc.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Rav.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ravmon.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1944
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im KVXP.kxp
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Mcshield.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2188
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im VsTskMgr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im 360tray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
    • C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -f
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2664
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1808

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\Anti.dll
        Filesize

        8KB

        MD5

        c3b7e89f0988eaaf4ff13a9efa34b4ac

        SHA1

        d72a764135883636329b60d704b0355843a7dd48

        SHA256

        ed4ffb194370b886c22f97bf53250475632933526c62ef35f1b5cd8b538901f3

        SHA512

        dc4b0e7981bc1d3f2107b46ffbeaf60297f54601234fdd1662de55e2043d791c7ab1b3b2748177d52ebfe799ff9317b1ebc3b017fab4dd6b3b912c696148a185

        Download Submit

      • memory/1808-6-0x00000000028A0000-0x00000000028A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2664-5-0x00000000029C0000-0x00000000029C1000-memory.dmp

        Filesize

        4KB

        Download