Analysis
-
max time kernel
158s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 13:01
Behavioral task
behavioral1
Sample
955711b371ac340c34dfafc12f535319.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
955711b371ac340c34dfafc12f535319.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
955711b371ac340c34dfafc12f535319.exe
-
Size
12.3MB
-
MD5
955711b371ac340c34dfafc12f535319
-
SHA1
17cf7ce6d8a5478396b93712c2a5fccd0c770007
-
SHA256
aafbeb03e54446c5d941acf27c69c69fc7b381804de0c3a90a4087ae524f7464
-
SHA512
db704bfbb026391041b74a8135e429434c8ffc4a6430e9a1487f29e2d99b7749dc6a6621a4272742023ab16f8340bb2ab0eae0e278b99a7e39bedb6d90b6369e
-
SSDEEP
196608:1crd6O90991Fki4emWpkYr2flmpmdQHeKWvpY623+OWXW7kdaNBF+ziLCUG9J5a:K6L991aimWpkkxGQeKWLRXHyL/qO
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4288-3-0x0000000000400000-0x0000000001B4F000-memory.dmp vmprotect behavioral2/memory/4288-10-0x0000000000400000-0x0000000001B4F000-memory.dmp vmprotect behavioral2/memory/4288-15-0x0000000000400000-0x0000000001B4F000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 955711b371ac340c34dfafc12f535319.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4288 955711b371ac340c34dfafc12f535319.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4288 955711b371ac340c34dfafc12f535319.exe 4288 955711b371ac340c34dfafc12f535319.exe 4288 955711b371ac340c34dfafc12f535319.exe 4288 955711b371ac340c34dfafc12f535319.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3552 wmic.exe Token: SeSecurityPrivilege 3552 wmic.exe Token: SeTakeOwnershipPrivilege 3552 wmic.exe Token: SeLoadDriverPrivilege 3552 wmic.exe Token: SeSystemProfilePrivilege 3552 wmic.exe Token: SeSystemtimePrivilege 3552 wmic.exe Token: SeProfSingleProcessPrivilege 3552 wmic.exe Token: SeIncBasePriorityPrivilege 3552 wmic.exe Token: SeCreatePagefilePrivilege 3552 wmic.exe Token: SeBackupPrivilege 3552 wmic.exe Token: SeRestorePrivilege 3552 wmic.exe Token: SeShutdownPrivilege 3552 wmic.exe Token: SeDebugPrivilege 3552 wmic.exe Token: SeSystemEnvironmentPrivilege 3552 wmic.exe Token: SeRemoteShutdownPrivilege 3552 wmic.exe Token: SeUndockPrivilege 3552 wmic.exe Token: SeManageVolumePrivilege 3552 wmic.exe Token: 33 3552 wmic.exe Token: 34 3552 wmic.exe Token: 35 3552 wmic.exe Token: 36 3552 wmic.exe Token: SeIncreaseQuotaPrivilege 3552 wmic.exe Token: SeSecurityPrivilege 3552 wmic.exe Token: SeTakeOwnershipPrivilege 3552 wmic.exe Token: SeLoadDriverPrivilege 3552 wmic.exe Token: SeSystemProfilePrivilege 3552 wmic.exe Token: SeSystemtimePrivilege 3552 wmic.exe Token: SeProfSingleProcessPrivilege 3552 wmic.exe Token: SeIncBasePriorityPrivilege 3552 wmic.exe Token: SeCreatePagefilePrivilege 3552 wmic.exe Token: SeBackupPrivilege 3552 wmic.exe Token: SeRestorePrivilege 3552 wmic.exe Token: SeShutdownPrivilege 3552 wmic.exe Token: SeDebugPrivilege 3552 wmic.exe Token: SeSystemEnvironmentPrivilege 3552 wmic.exe Token: SeRemoteShutdownPrivilege 3552 wmic.exe Token: SeUndockPrivilege 3552 wmic.exe Token: SeManageVolumePrivilege 3552 wmic.exe Token: 33 3552 wmic.exe Token: 34 3552 wmic.exe Token: 35 3552 wmic.exe Token: 36 3552 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4288 955711b371ac340c34dfafc12f535319.exe 4288 955711b371ac340c34dfafc12f535319.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4288 wrote to memory of 3552 4288 955711b371ac340c34dfafc12f535319.exe 94 PID 4288 wrote to memory of 3552 4288 955711b371ac340c34dfafc12f535319.exe 94 PID 4288 wrote to memory of 3552 4288 955711b371ac340c34dfafc12f535319.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\955711b371ac340c34dfafc12f535319.exe"C:\Users\Admin\AppData\Local\Temp\955711b371ac340c34dfafc12f535319.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552
-