Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 10:58
Behavioral task
behavioral1
Sample
86ca4cff34bf8d2cc8be3c59cfabc1d2.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
86ca4cff34bf8d2cc8be3c59cfabc1d2.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
86ca4cff34bf8d2cc8be3c59cfabc1d2.exe
-
Size
12.3MB
-
MD5
86ca4cff34bf8d2cc8be3c59cfabc1d2
-
SHA1
cd74a0faa905012ba407aaea0298b6ff4075c0ad
-
SHA256
a1d6030e01106ead25c6cb67a8ed080ae66d198d0a7d225776349d3938c263f8
-
SHA512
5e5823ae5e699a11faef061e666fa42e6a7ba5e2e0b9e7d97743d092d6fd37ffbeef1d6f016a89d4b82696c3cdd26e7e8f77ad4b97dfc94dd73cdfa53d056177
-
SSDEEP
196608:fuaCVjcHlRncPDcizHp8zmVZfJ+L2dKI4NkqoGrhcpICwo/ik6WX4Jgf7UBHKHC4:fuaS6mDBpKmbkLAKB4/irWoJeUBqi4
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2352-0-0x0000000000400000-0x0000000001B44000-memory.dmp vmprotect behavioral1/memory/2352-4-0x0000000000400000-0x0000000001B44000-memory.dmp vmprotect behavioral1/memory/2352-42-0x0000000000400000-0x0000000001B44000-memory.dmp vmprotect behavioral1/memory/2352-48-0x0000000000400000-0x0000000001B44000-memory.dmp vmprotect behavioral1/memory/2352-49-0x0000000000400000-0x0000000001B44000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2352 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2352 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe 2352 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2752 wmic.exe Token: SeSecurityPrivilege 2752 wmic.exe Token: SeTakeOwnershipPrivilege 2752 wmic.exe Token: SeLoadDriverPrivilege 2752 wmic.exe Token: SeSystemProfilePrivilege 2752 wmic.exe Token: SeSystemtimePrivilege 2752 wmic.exe Token: SeProfSingleProcessPrivilege 2752 wmic.exe Token: SeIncBasePriorityPrivilege 2752 wmic.exe Token: SeCreatePagefilePrivilege 2752 wmic.exe Token: SeBackupPrivilege 2752 wmic.exe Token: SeRestorePrivilege 2752 wmic.exe Token: SeShutdownPrivilege 2752 wmic.exe Token: SeDebugPrivilege 2752 wmic.exe Token: SeSystemEnvironmentPrivilege 2752 wmic.exe Token: SeRemoteShutdownPrivilege 2752 wmic.exe Token: SeUndockPrivilege 2752 wmic.exe Token: SeManageVolumePrivilege 2752 wmic.exe Token: 33 2752 wmic.exe Token: 34 2752 wmic.exe Token: 35 2752 wmic.exe Token: SeIncreaseQuotaPrivilege 2752 wmic.exe Token: SeSecurityPrivilege 2752 wmic.exe Token: SeTakeOwnershipPrivilege 2752 wmic.exe Token: SeLoadDriverPrivilege 2752 wmic.exe Token: SeSystemProfilePrivilege 2752 wmic.exe Token: SeSystemtimePrivilege 2752 wmic.exe Token: SeProfSingleProcessPrivilege 2752 wmic.exe Token: SeIncBasePriorityPrivilege 2752 wmic.exe Token: SeCreatePagefilePrivilege 2752 wmic.exe Token: SeBackupPrivilege 2752 wmic.exe Token: SeRestorePrivilege 2752 wmic.exe Token: SeShutdownPrivilege 2752 wmic.exe Token: SeDebugPrivilege 2752 wmic.exe Token: SeSystemEnvironmentPrivilege 2752 wmic.exe Token: SeRemoteShutdownPrivilege 2752 wmic.exe Token: SeUndockPrivilege 2752 wmic.exe Token: SeManageVolumePrivilege 2752 wmic.exe Token: 33 2752 wmic.exe Token: 34 2752 wmic.exe Token: 35 2752 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2352 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe 2352 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2752 2352 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe 27 PID 2352 wrote to memory of 2752 2352 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe 27 PID 2352 wrote to memory of 2752 2352 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe 27 PID 2352 wrote to memory of 2752 2352 86ca4cff34bf8d2cc8be3c59cfabc1d2.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\86ca4cff34bf8d2cc8be3c59cfabc1d2.exe"C:\Users\Admin\AppData\Local\Temp\86ca4cff34bf8d2cc8be3c59cfabc1d2.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
-