47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f

Analysis

max time kernel
199s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Size

3.7MB
MD5

93cea391d1a26a1d1fd19bb466dfe44c
SHA1

68b279d7e9904421ad338a45343be2e44eb37e1e
SHA256

47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f
SHA512

b58314b578195f9f85e88a1818f73c96ea1b4f7b8ccc909e7f03c7c6e9b78e52b083683e3a69d1bcdbe5e1e5ecf0af85a7c80beb83b7c1428516e6f818a5276a
SSDEEP

49152:+nPgNs1fxeqLBaa5e6cerHhvfKOmbJZD4hzChMQ9t0:4gWfxeZa5e9erHhvf6bJZDV6

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/980-8-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-7-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-9-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-10-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-12-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-14-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-16-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-20-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-18-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-22-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-24-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-26-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-29-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-31-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-33-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-35-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-37-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-39-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-42-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-45-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-47-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-49-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-51-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-53-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx
behavioral2/memory/980-54-0x0000000000F30000-0x0000000000F6E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 1	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeCreateTokenPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeAssignPrimaryTokenPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeLockMemoryPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeIncreaseQuotaPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeMachineAccountPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeTcbPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeSecurityPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeTakeOwnershipPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeLoadDriverPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeSystemProfilePrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeSystemtimePrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeProfSingleProcessPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeIncBasePriorityPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeCreatePagefilePrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeCreatePermanentPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeBackupPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeRestorePrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeShutdownPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeDebugPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeAuditPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeSystemEnvironmentPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeChangeNotifyPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeRemoteShutdownPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeUndockPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeSyncAgentPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeEnableDelegationPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeManageVolumePrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeImpersonatePrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: SeCreateGlobalPrivilege	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 31	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 32	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 33	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 34	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 35	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 36	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 37	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 38	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 39	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 40	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 41	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 42	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 43	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 44	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 45	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 46	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 47	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
Token: 48	980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
980	47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe

C:\Users\Admin\AppData\Local\Temp\47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe
"C:\Users\Admin\AppData\Local\Temp\47f210cce617abf028e8c0aa24dc0d91fde09a01252581989dcef45082fe1f8f.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-0-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/980-8-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-7-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-9-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-10-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-12-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-14-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-16-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-20-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-18-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-22-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-24-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-26-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-29-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-28-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/980-31-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-33-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-35-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-37-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-39-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-42-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-45-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-47-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-49-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-51-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-53-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/980-54-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads