Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 05:56
Behavioral task
behavioral1
Sample
737c6b35e8304239b9ccc22236a97425.exe
Resource
win7-20231129-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
737c6b35e8304239b9ccc22236a97425.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
737c6b35e8304239b9ccc22236a97425.exe
-
Size
12.3MB
-
MD5
737c6b35e8304239b9ccc22236a97425
-
SHA1
557ff440880381d67b50990c6fb640829aa6624d
-
SHA256
7e3c44c6313e81c1a160ee1a8de04f73c180634ddcfb7ae7daf07798a91dbcfe
-
SHA512
68ecca31ba5e73afeaf6c278037805cf81eeaca661d450c04b5f467dcae608c74a61f166016204ec0e88dce6e2867a16e87cc937e795303eb429ec8cefe4e889
-
SSDEEP
196608:A9QOIvid0RufNUO8pZjxoS9OSaiZ5n/j1Plmb5edb2+MBXJKspnyKOwnzo8lg5n:ArI6NR87Fo5Saif/j1P05edJXjwzoSm
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2252-1-0x0000000000400000-0x0000000001B3C000-memory.dmp vmprotect behavioral1/memory/2252-5-0x0000000000400000-0x0000000001B3C000-memory.dmp vmprotect behavioral1/memory/2252-48-0x0000000000400000-0x0000000001B3C000-memory.dmp vmprotect behavioral1/memory/2252-49-0x0000000000400000-0x0000000001B3C000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 737c6b35e8304239b9ccc22236a97425.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2252 737c6b35e8304239b9ccc22236a97425.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2252 737c6b35e8304239b9ccc22236a97425.exe 2252 737c6b35e8304239b9ccc22236a97425.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2728 wmic.exe Token: SeSecurityPrivilege 2728 wmic.exe Token: SeTakeOwnershipPrivilege 2728 wmic.exe Token: SeLoadDriverPrivilege 2728 wmic.exe Token: SeSystemProfilePrivilege 2728 wmic.exe Token: SeSystemtimePrivilege 2728 wmic.exe Token: SeProfSingleProcessPrivilege 2728 wmic.exe Token: SeIncBasePriorityPrivilege 2728 wmic.exe Token: SeCreatePagefilePrivilege 2728 wmic.exe Token: SeBackupPrivilege 2728 wmic.exe Token: SeRestorePrivilege 2728 wmic.exe Token: SeShutdownPrivilege 2728 wmic.exe Token: SeDebugPrivilege 2728 wmic.exe Token: SeSystemEnvironmentPrivilege 2728 wmic.exe Token: SeRemoteShutdownPrivilege 2728 wmic.exe Token: SeUndockPrivilege 2728 wmic.exe Token: SeManageVolumePrivilege 2728 wmic.exe Token: 33 2728 wmic.exe Token: 34 2728 wmic.exe Token: 35 2728 wmic.exe Token: SeIncreaseQuotaPrivilege 2728 wmic.exe Token: SeSecurityPrivilege 2728 wmic.exe Token: SeTakeOwnershipPrivilege 2728 wmic.exe Token: SeLoadDriverPrivilege 2728 wmic.exe Token: SeSystemProfilePrivilege 2728 wmic.exe Token: SeSystemtimePrivilege 2728 wmic.exe Token: SeProfSingleProcessPrivilege 2728 wmic.exe Token: SeIncBasePriorityPrivilege 2728 wmic.exe Token: SeCreatePagefilePrivilege 2728 wmic.exe Token: SeBackupPrivilege 2728 wmic.exe Token: SeRestorePrivilege 2728 wmic.exe Token: SeShutdownPrivilege 2728 wmic.exe Token: SeDebugPrivilege 2728 wmic.exe Token: SeSystemEnvironmentPrivilege 2728 wmic.exe Token: SeRemoteShutdownPrivilege 2728 wmic.exe Token: SeUndockPrivilege 2728 wmic.exe Token: SeManageVolumePrivilege 2728 wmic.exe Token: 33 2728 wmic.exe Token: 34 2728 wmic.exe Token: 35 2728 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2252 737c6b35e8304239b9ccc22236a97425.exe 2252 737c6b35e8304239b9ccc22236a97425.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2728 2252 737c6b35e8304239b9ccc22236a97425.exe 28 PID 2252 wrote to memory of 2728 2252 737c6b35e8304239b9ccc22236a97425.exe 28 PID 2252 wrote to memory of 2728 2252 737c6b35e8304239b9ccc22236a97425.exe 28 PID 2252 wrote to memory of 2728 2252 737c6b35e8304239b9ccc22236a97425.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\737c6b35e8304239b9ccc22236a97425.exe"C:\Users\Admin\AppData\Local\Temp\737c6b35e8304239b9ccc22236a97425.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
-