Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 01:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe
Resource
win7-20230831-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe
-
Size
6.3MB
-
MD5
58189891bfa7f0f702b3bdf053451c42
-
SHA1
ec11d59787d4351e2bbb76f19ba827953577e6b5
-
SHA256
70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07
-
SHA512
7e6e773d7257ee8be9143294953906a61938957f52e23fc3834e69b47fc32adc5a62e1dcf3d23be0e6ef0cdf09b5e6faae874cb084ed1174ab8fc3795362e28b
-
SSDEEP
98304:BZnuKlh5KxnHTVccghy6rc+p6g7/clWSV7SxyqxrW:BpPlynHTecL6Aq/eaW
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3972 70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe 3972 70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1052 wmic.exe Token: SeSecurityPrivilege 1052 wmic.exe Token: SeTakeOwnershipPrivilege 1052 wmic.exe Token: SeLoadDriverPrivilege 1052 wmic.exe Token: SeSystemProfilePrivilege 1052 wmic.exe Token: SeSystemtimePrivilege 1052 wmic.exe Token: SeProfSingleProcessPrivilege 1052 wmic.exe Token: SeIncBasePriorityPrivilege 1052 wmic.exe Token: SeCreatePagefilePrivilege 1052 wmic.exe Token: SeBackupPrivilege 1052 wmic.exe Token: SeRestorePrivilege 1052 wmic.exe Token: SeShutdownPrivilege 1052 wmic.exe Token: SeDebugPrivilege 1052 wmic.exe Token: SeSystemEnvironmentPrivilege 1052 wmic.exe Token: SeRemoteShutdownPrivilege 1052 wmic.exe Token: SeUndockPrivilege 1052 wmic.exe Token: SeManageVolumePrivilege 1052 wmic.exe Token: 33 1052 wmic.exe Token: 34 1052 wmic.exe Token: 35 1052 wmic.exe Token: 36 1052 wmic.exe Token: SeIncreaseQuotaPrivilege 1052 wmic.exe Token: SeSecurityPrivilege 1052 wmic.exe Token: SeTakeOwnershipPrivilege 1052 wmic.exe Token: SeLoadDriverPrivilege 1052 wmic.exe Token: SeSystemProfilePrivilege 1052 wmic.exe Token: SeSystemtimePrivilege 1052 wmic.exe Token: SeProfSingleProcessPrivilege 1052 wmic.exe Token: SeIncBasePriorityPrivilege 1052 wmic.exe Token: SeCreatePagefilePrivilege 1052 wmic.exe Token: SeBackupPrivilege 1052 wmic.exe Token: SeRestorePrivilege 1052 wmic.exe Token: SeShutdownPrivilege 1052 wmic.exe Token: SeDebugPrivilege 1052 wmic.exe Token: SeSystemEnvironmentPrivilege 1052 wmic.exe Token: SeRemoteShutdownPrivilege 1052 wmic.exe Token: SeUndockPrivilege 1052 wmic.exe Token: SeManageVolumePrivilege 1052 wmic.exe Token: 33 1052 wmic.exe Token: 34 1052 wmic.exe Token: 35 1052 wmic.exe Token: 36 1052 wmic.exe Token: SeIncreaseQuotaPrivilege 380 wmic.exe Token: SeSecurityPrivilege 380 wmic.exe Token: SeTakeOwnershipPrivilege 380 wmic.exe Token: SeLoadDriverPrivilege 380 wmic.exe Token: SeSystemProfilePrivilege 380 wmic.exe Token: SeSystemtimePrivilege 380 wmic.exe Token: SeProfSingleProcessPrivilege 380 wmic.exe Token: SeIncBasePriorityPrivilege 380 wmic.exe Token: SeCreatePagefilePrivilege 380 wmic.exe Token: SeBackupPrivilege 380 wmic.exe Token: SeRestorePrivilege 380 wmic.exe Token: SeShutdownPrivilege 380 wmic.exe Token: SeDebugPrivilege 380 wmic.exe Token: SeSystemEnvironmentPrivilege 380 wmic.exe Token: SeRemoteShutdownPrivilege 380 wmic.exe Token: SeUndockPrivilege 380 wmic.exe Token: SeManageVolumePrivilege 380 wmic.exe Token: 33 380 wmic.exe Token: 34 380 wmic.exe Token: 35 380 wmic.exe Token: 36 380 wmic.exe Token: SeIncreaseQuotaPrivilege 380 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3972 wrote to memory of 1052 3972 70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe 87 PID 3972 wrote to memory of 1052 3972 70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe 87 PID 3972 wrote to memory of 380 3972 70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe 92 PID 3972 wrote to memory of 380 3972 70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe"C:\Users\Admin\AppData\Local\Temp\70f9212ff80edafefdf4b28fd63b47c2467530e0cd40d6e4032ce68efdcddb07.exe"1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\System32\Wbem\wmic.exewmic path Win32_ComputerSystem get HypervisorPresent2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\System32\Wbem\wmic.exewmic BaseBoard get Manufacturer2⤵
- Suspicious use of AdjustPrivilegeToken
PID:380
-