6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
Size

11.2MB
MD5

84e9fad559f90484f2598678f2e0208b
SHA1

e1e565fb75d6ec798ba8a216499ad4ef6beba616
SHA256

6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95
SHA512

34ce88136ae3de3b145b597cfe94d24ce31ff40c7a0291aab4b9d00f45f0767f915297bd839fc5e92329bb3aabd55a238ecd14fe8ba4de9a7b936e15588040f6
SSDEEP

196608:kRqt5CRk46zOnXWOEROxWUgyvK9pJkUQgJH58VWMOx:kRqt5CRkrOnXziuTvTi8UMW

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\System.22668814018165733	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\System.22668814018165733\19766882042117985 = "1328813663"	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4308	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
4308	6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe

C:\Users\Admin\AppData\Local\Temp\6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
"C:\Users\Admin\AppData\Local\Temp\6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4308-0-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4308-1-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-2-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4308-3-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-4-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-5-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-6-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-7-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-8-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-9-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-10-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-11-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-12-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-13-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-14-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download
memory/4308-15-0x0000000000400000-0x0000000000F3F000-memory.dmp

Filesize
11.2MB

Download