6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 01:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
Size

11.2MB
MD5

84e9fad559f90484f2598678f2e0208b
SHA1

e1e565fb75d6ec798ba8a216499ad4ef6beba616
SHA256

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95
SHA512

34ce88136ae3de3b145b597cfe94d24ce31ff40c7a0291aab4b9d00f45f0767f915297bd839fc5e92329bb3aabd55a238ecd14fe8ba4de9a7b936e15588040f6
SSDEEP

196608:kRqt5CRk46zOnXWOEROxWUgyvK9pJkUQgJH58VWMOx:kRqt5CRkrOnXziuTvTi8UMW

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\System.22668814018165733	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\System.22668814018165733\19766882042117985 = "1328813663"	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4308	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
4308	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

C:\Users\Admin\AppData\Local\Temp\6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
"C:\Users\Admin\AppData\Local\Temp\6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4308

Network

DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

108.211.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.211.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

www.3332pk.com

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

Remote address:

8.8.8.8:53

Request

www.3332pk.com

IN A

Response

www.3332pk.com

IN CNAME

www.3332pk.com.cdn.dnsv1.com

www.3332pk.com.cdn.dnsv1.com

IN CNAME

cdn.dispatch.spcdntip.com

cdn.dispatch.spcdntip.com

IN A

59.83.204.12

cdn.dispatch.spcdntip.com

IN A

122.189.171.115

cdn.dispatch.spcdntip.com

IN A

119.188.150.48
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

119.126.53.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.126.53.103.in-addr.arpa

IN PTR

Response
DNS

129.47.75.47.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.47.75.47.in-addr.arpa

IN PTR

Response
DNS

14.6.24.117.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.6.24.117.in-addr.arpa

IN PTR

Response
DNS

29.81.57.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.81.57.23.in-addr.arpa

IN PTR

Response

29.81.57.23.in-addr.arpa

IN PTR

a23-57-81-29deploystaticakamaitechnologiescom
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

254.177.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.177.238.8.in-addr.arpa

IN PTR

Response
DNS

12.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.173.189.20.in-addr.arpa

IN PTR

Response

117.24.6.14:31726

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

800 B
2.5kB
7
6
211.99.103.81:31726

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

260 B
5
211.99.103.162:31726

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

260 B
5
103.53.126.119:31726

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

518 B
2.5kB
6
6
103.219.176.63:31726

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

260 B
5
112.35.81.118:31726

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

260 B
5
123.129.224.118:31726

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

260 B
5
117.24.15.88:31726

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

260 B
200 B
5
5
47.75.47.129:31726

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

518 B
2.5kB
6
5
59.83.204.12:80

www.3332pk.com

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

260 B
5
47.100.89.114:19079

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

260 B
160 B
5
4
45.248.10.72:19079

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

260 B
200 B
5
5

8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

108.211.229.192.in-addr.arpa

dns

74 B
145 B
1
1

DNS Request

108.211.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

www.3332pk.com

dns

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

60 B
183 B
1
1

DNS Request

www.3332pk.com

DNS Response

59.83.204.12

122.189.171.115

119.188.150.48
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

119.126.53.103.in-addr.arpa

dns

73 B
161 B
1
1

DNS Request

119.126.53.103.in-addr.arpa
8.8.8.8:53

129.47.75.47.in-addr.arpa

dns

71 B
142 B
1
1

DNS Request

129.47.75.47.in-addr.arpa
8.8.8.8:53

14.6.24.117.in-addr.arpa

dns

70 B
123 B
1
1

DNS Request

14.6.24.117.in-addr.arpa
8.8.8.8:53

29.81.57.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

29.81.57.23.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

254.177.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.177.238.8.in-addr.arpa
8.8.8.8:53

12.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

12.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4308-0-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4308-1-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-2-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4308-3-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-4-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-5-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-6-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-7-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-8-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-9-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-10-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-11-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-12-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-13-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-14-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-15-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.