Overview

overview

7

Static

static

3

1(1).exe

windows7-x64

7

1(1).exe

windows10-2004-x64

6

Analysis

  • max time kernel
    121s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2023, 23:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1(1).exe

  • Size

    1.9MB

  • MD5

    692846f7d9bef81b03863ed97bfbd080

  • SHA1

    409558a6a2c28f46fafde89651d341394c1d77f3

  • SHA256

    a8d0f011e8c45ce9b717be7b78a1208d53026d0fecfce9a7a92d0304fad928cd

  • SHA512

    6fa025002e0931e654fef0b6d4bbcf0e7ddadfbdbd91027785f416a371c343898511068f12e31eb5ee4c843ae8862ffdd943ec1c5b513f51cc021ce54d8a361e

  • SSDEEP

    24576:Wu/OfDlEUKWf9+mTP3zG0CqSqbeiYM/VTrzTkLNk8clfZ/zliX1WJLwzZmT6iowP:EfU49bjznCNiYQTp4lUwt+tOSHMh+AC

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1(1).exe
    "C:\Users\Admin\AppData\Local\Temp\1(1).exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1(1).exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:1980

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3016-0-0x0000000000400000-0x0000000000488000-memory.dmp

          Filesize

          544KB

          Download

        • memory/3016-1-0x0000000010000000-0x0000000010129000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3016-5-0x0000000000400000-0x0000000000488000-memory.dmp

          Filesize

          544KB

          Download