Analysis
-
max time kernel
122s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 13:01
Behavioral task
behavioral1
Sample
955711b371ac340c34dfafc12f535319.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
955711b371ac340c34dfafc12f535319.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
955711b371ac340c34dfafc12f535319.exe
-
Size
12.3MB
-
MD5
955711b371ac340c34dfafc12f535319
-
SHA1
17cf7ce6d8a5478396b93712c2a5fccd0c770007
-
SHA256
aafbeb03e54446c5d941acf27c69c69fc7b381804de0c3a90a4087ae524f7464
-
SHA512
db704bfbb026391041b74a8135e429434c8ffc4a6430e9a1487f29e2d99b7749dc6a6621a4272742023ab16f8340bb2ab0eae0e278b99a7e39bedb6d90b6369e
-
SSDEEP
196608:1crd6O90991Fki4emWpkYr2flmpmdQHeKWvpY623+OWXW7kdaNBF+ziLCUG9J5a:K6L991aimWpkkxGQeKWLRXHyL/qO
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2180-3-0x0000000000400000-0x0000000001B4F000-memory.dmp vmprotect behavioral1/memory/2180-8-0x0000000000400000-0x0000000001B4F000-memory.dmp vmprotect behavioral1/memory/2180-48-0x0000000000400000-0x0000000001B4F000-memory.dmp vmprotect behavioral1/memory/2180-49-0x0000000000400000-0x0000000001B4F000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 955711b371ac340c34dfafc12f535319.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2180 955711b371ac340c34dfafc12f535319.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2180 955711b371ac340c34dfafc12f535319.exe 2180 955711b371ac340c34dfafc12f535319.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2696 wmic.exe Token: SeSecurityPrivilege 2696 wmic.exe Token: SeTakeOwnershipPrivilege 2696 wmic.exe Token: SeLoadDriverPrivilege 2696 wmic.exe Token: SeSystemProfilePrivilege 2696 wmic.exe Token: SeSystemtimePrivilege 2696 wmic.exe Token: SeProfSingleProcessPrivilege 2696 wmic.exe Token: SeIncBasePriorityPrivilege 2696 wmic.exe Token: SeCreatePagefilePrivilege 2696 wmic.exe Token: SeBackupPrivilege 2696 wmic.exe Token: SeRestorePrivilege 2696 wmic.exe Token: SeShutdownPrivilege 2696 wmic.exe Token: SeDebugPrivilege 2696 wmic.exe Token: SeSystemEnvironmentPrivilege 2696 wmic.exe Token: SeRemoteShutdownPrivilege 2696 wmic.exe Token: SeUndockPrivilege 2696 wmic.exe Token: SeManageVolumePrivilege 2696 wmic.exe Token: 33 2696 wmic.exe Token: 34 2696 wmic.exe Token: 35 2696 wmic.exe Token: SeIncreaseQuotaPrivilege 2696 wmic.exe Token: SeSecurityPrivilege 2696 wmic.exe Token: SeTakeOwnershipPrivilege 2696 wmic.exe Token: SeLoadDriverPrivilege 2696 wmic.exe Token: SeSystemProfilePrivilege 2696 wmic.exe Token: SeSystemtimePrivilege 2696 wmic.exe Token: SeProfSingleProcessPrivilege 2696 wmic.exe Token: SeIncBasePriorityPrivilege 2696 wmic.exe Token: SeCreatePagefilePrivilege 2696 wmic.exe Token: SeBackupPrivilege 2696 wmic.exe Token: SeRestorePrivilege 2696 wmic.exe Token: SeShutdownPrivilege 2696 wmic.exe Token: SeDebugPrivilege 2696 wmic.exe Token: SeSystemEnvironmentPrivilege 2696 wmic.exe Token: SeRemoteShutdownPrivilege 2696 wmic.exe Token: SeUndockPrivilege 2696 wmic.exe Token: SeManageVolumePrivilege 2696 wmic.exe Token: 33 2696 wmic.exe Token: 34 2696 wmic.exe Token: 35 2696 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2180 955711b371ac340c34dfafc12f535319.exe 2180 955711b371ac340c34dfafc12f535319.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2696 2180 955711b371ac340c34dfafc12f535319.exe 28 PID 2180 wrote to memory of 2696 2180 955711b371ac340c34dfafc12f535319.exe 28 PID 2180 wrote to memory of 2696 2180 955711b371ac340c34dfafc12f535319.exe 28 PID 2180 wrote to memory of 2696 2180 955711b371ac340c34dfafc12f535319.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\955711b371ac340c34dfafc12f535319.exe"C:\Users\Admin\AppData\Local\Temp\955711b371ac340c34dfafc12f535319.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696
-