Analysis
-
max time kernel
121s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 01:28
Behavioral task
behavioral1
Sample
4656610aadf30bdfd1062de4c22d009b.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4656610aadf30bdfd1062de4c22d009b.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
4656610aadf30bdfd1062de4c22d009b.exe
-
Size
12.3MB
-
MD5
4656610aadf30bdfd1062de4c22d009b
-
SHA1
3737f7ca431edd0134ae45f24b1c49a7f63f5010
-
SHA256
9223b760df388cabe90b488a3773a2f4eadea096f53cfee685e0823296fc3ea4
-
SHA512
a3e3c794573fa0536a6261436c3f3738d9c75f0267e23e76a9e2aed798da5d2b67408b192a2676fba9b81e45e4876e6d2ca725799d81c19e6e1276efc1aa5d24
-
SSDEEP
393216:ukExhoUZACJbA5x4jeRnaJo5tV8N45Rkb:ukEfoUZlbA5x4qpaKI4bkb
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2776-3-0x0000000000400000-0x0000000001B59000-memory.dmp vmprotect behavioral1/memory/2776-8-0x0000000000400000-0x0000000001B59000-memory.dmp vmprotect behavioral1/memory/2776-48-0x0000000000400000-0x0000000001B59000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4656610aadf30bdfd1062de4c22d009b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2776 4656610aadf30bdfd1062de4c22d009b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2776 4656610aadf30bdfd1062de4c22d009b.exe 2776 4656610aadf30bdfd1062de4c22d009b.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1960 wmic.exe Token: SeSecurityPrivilege 1960 wmic.exe Token: SeTakeOwnershipPrivilege 1960 wmic.exe Token: SeLoadDriverPrivilege 1960 wmic.exe Token: SeSystemProfilePrivilege 1960 wmic.exe Token: SeSystemtimePrivilege 1960 wmic.exe Token: SeProfSingleProcessPrivilege 1960 wmic.exe Token: SeIncBasePriorityPrivilege 1960 wmic.exe Token: SeCreatePagefilePrivilege 1960 wmic.exe Token: SeBackupPrivilege 1960 wmic.exe Token: SeRestorePrivilege 1960 wmic.exe Token: SeShutdownPrivilege 1960 wmic.exe Token: SeDebugPrivilege 1960 wmic.exe Token: SeSystemEnvironmentPrivilege 1960 wmic.exe Token: SeRemoteShutdownPrivilege 1960 wmic.exe Token: SeUndockPrivilege 1960 wmic.exe Token: SeManageVolumePrivilege 1960 wmic.exe Token: 33 1960 wmic.exe Token: 34 1960 wmic.exe Token: 35 1960 wmic.exe Token: SeIncreaseQuotaPrivilege 1960 wmic.exe Token: SeSecurityPrivilege 1960 wmic.exe Token: SeTakeOwnershipPrivilege 1960 wmic.exe Token: SeLoadDriverPrivilege 1960 wmic.exe Token: SeSystemProfilePrivilege 1960 wmic.exe Token: SeSystemtimePrivilege 1960 wmic.exe Token: SeProfSingleProcessPrivilege 1960 wmic.exe Token: SeIncBasePriorityPrivilege 1960 wmic.exe Token: SeCreatePagefilePrivilege 1960 wmic.exe Token: SeBackupPrivilege 1960 wmic.exe Token: SeRestorePrivilege 1960 wmic.exe Token: SeShutdownPrivilege 1960 wmic.exe Token: SeDebugPrivilege 1960 wmic.exe Token: SeSystemEnvironmentPrivilege 1960 wmic.exe Token: SeRemoteShutdownPrivilege 1960 wmic.exe Token: SeUndockPrivilege 1960 wmic.exe Token: SeManageVolumePrivilege 1960 wmic.exe Token: 33 1960 wmic.exe Token: 34 1960 wmic.exe Token: 35 1960 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2776 4656610aadf30bdfd1062de4c22d009b.exe 2776 4656610aadf30bdfd1062de4c22d009b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2776 wrote to memory of 1960 2776 4656610aadf30bdfd1062de4c22d009b.exe 30 PID 2776 wrote to memory of 1960 2776 4656610aadf30bdfd1062de4c22d009b.exe 30 PID 2776 wrote to memory of 1960 2776 4656610aadf30bdfd1062de4c22d009b.exe 30 PID 2776 wrote to memory of 1960 2776 4656610aadf30bdfd1062de4c22d009b.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4656610aadf30bdfd1062de4c22d009b.exe"C:\Users\Admin\AppData\Local\Temp\4656610aadf30bdfd1062de4c22d009b.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960
-