ff558d9097b90571826b651d869b339b836dd6b16f5dc19a08211ba153f16a64

Analysis

max time kernel
135s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2023, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ff558d9097b90571826b651d869b339b836dd6b16f5dc19a08211ba153f16a64.exe
Size

4.5MB
MD5

1f0b020aab90bdd0d9768dd3019e6b1f
SHA1

34b9bbf99eafe8f7f5aa8a05d029753ad247c705
SHA256

ff558d9097b90571826b651d869b339b836dd6b16f5dc19a08211ba153f16a64
SHA512

8b89ae213ec1269d901ab3bbf00faa571a61e5588876d7b324e096e7e0fcb758ca5fddf1d999227fdc38e9409ebc943c697a9d3703012e5baac2390e2d3d237e
SSDEEP

49152:l3JLsetnb3eyHKl+nymW5I8XNOp09B/pwkFOMB0QKEYE/:l3JLsAIiFwrPGE50Q

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4992	ff558d9097b90571826b651d869b339b836dd6b16f5dc19a08211ba153f16a64.exe
4992	ff558d9097b90571826b651d869b339b836dd6b16f5dc19a08211ba153f16a64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ff558d9097b90571826b651d869b339b836dd6b16f5dc19a08211ba153f16a64.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3280	4992	WerFault.exe	88

C:\Users\Admin\AppData\Local\Temp\ff558d9097b90571826b651d869b339b836dd6b16f5dc19a08211ba153f16a64.exe
"C:\Users\Admin\AppData\Local\Temp\ff558d9097b90571826b651d869b339b836dd6b16f5dc19a08211ba153f16a64.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 988
  2⤵
  - Program crash
  PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4992 -ip 4992
1⤵
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{63BD5751-3B3F-4bae-ADFD-337D4D8A9FFA}.tmp\NetBridge.dll

Filesize
238KB

MD5
3c504e979710fa6c7dc91294810d2df7

SHA1
7cdfac96dedc03d04059340de1aa83ba3c3b8269

SHA256
28a2a307a0ad967049e1cb0ae88d5265c02066aee4769348f4632dd256124992

SHA512
3b2551bd15b1673a43d9851a08d0bdd0cbb325d7acc1bfe91d27137ed6e03b735bcc24b25be44ab86993976cf779a273755ffe924cbc7e8534e5e38d32841d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C96CE035-B778-4808-AEC5-612AE357332D}.tmp\7z.dll

Filesize
1.1MB

MD5
f393e77eab2114bf3ce0e9c7534fffff

SHA1
23bb335b02e34ebb9426ee1c1a3e827588fe4cf2

SHA256
bd92316c24a7a2026ab8800de87572c24d3ff0764b6974f59ff39092923b6284

SHA512
b755ab31adff98ca621c016a2ad5f77f3e33cabe782fae88377005d7bdc0be2bd703be739d9aa0c8b2831cc7f012688b17d9e59c1cd0a3bf5e164fdb99b50bbb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads