7f25cd4ce531ffef311af6881ed1392abc2b3a02a1a7f99cc400068a3d5be522

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

023fb29a93c3181bd9ca892142450acc.exe
Size

112KB
MD5

023fb29a93c3181bd9ca892142450acc
SHA1

7d6718ee2cbdbb6989a0965a89e0d95fd6043bfb
SHA256

7f25cd4ce531ffef311af6881ed1392abc2b3a02a1a7f99cc400068a3d5be522
SHA512

a5054f0537b5e1094d659508a29911c3d976550d1b70e9c1ae24342b1d96db6d65623c3796cd13ac5735ff60ff675071e7b185b7be75e45a50b1936f89bb8380
SSDEEP

3072:+/lqgOxh4RpR9qf8IfEsN3A5kNu1Q6JTz:+DtnhstN3i8u1Q6J

Score

7^/10

bootkit persistence

Malware Config

Signatures

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	193.31.250.5
Destination IP	193.191.111.132
Destination IP	60.196.0.1
Destination IP	193.37.110.34
Destination IP	193.133.68.149
Destination IP	193.83.239.141
Destination IP	193.23.124.29
Destination IP	193.157.238.110
Destination IP	193.219.209.85
Destination IP	193.173.160.135
Destination IP	193.144.131.57
Destination IP	193.113.210.23
Destination IP	204.13.161.6
Destination IP	200.10.122.11
Destination IP	193.198.130.116
Destination IP	192.118.70.174
Destination IP	193.244.39.188
Destination IP	193.74.145.14
Destination IP	193.241.151.34
Destination IP	193.54.171.245
Destination IP	193.193.67.230
Destination IP	193.106.224.154
Destination IP	193.0.224.5
Destination IP	193.232.195.177
Destination IP	193.104.198.238
Destination IP	193.125.152.77
Destination IP	210.141.108.231
Destination IP	193.54.9.230
Destination IP	193.176.148.255
Destination IP	193.59.133.13
Destination IP	193.179.174.253
Destination IP	193.53.44.253
Destination IP	193.189.233.99
Destination IP	193.177.245.248
Destination IP	193.20.111.39
Destination IP	193.13.208.125
Destination IP	193.52.183.148
Destination IP	193.60.243.242
Destination IP	210.144.5.162
Destination IP	193.107.175.42
Destination IP	216.115.224.6
Destination IP	193.191.123.241
Destination IP	193.2.92.179
Destination IP	193.135.174.255
Destination IP	193.21.237.213
Destination IP	193.23.124.139
Destination IP	193.253.78.23
Destination IP	193.211.5.150
Destination IP	193.228.112.37
Destination IP	67.15.108.125
Destination IP	193.157.23.53
Destination IP	193.94.163.8
Destination IP	61.78.52.5
Destination IP	131.94.226.10
Destination IP	193.252.129.166
Destination IP	193.74.213.205
Destination IP	193.40.188.166
Destination IP	129.66.76.4
Destination IP	193.214.68.238
Destination IP	193.207.61.179
Destination IP	193.65.11.133
Destination IP	205.242.187.235
Destination IP	193.42.228.9
Destination IP	80.77.113.1

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	023fb29a93c3181bd9ca892142450acc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	2140	WerFault.exe	14

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe
2140	023fb29a93c3181bd9ca892142450acc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2936	2140	023fb29a93c3181bd9ca892142450acc.exe	30
PID 2140 wrote to memory of 2936	2140	023fb29a93c3181bd9ca892142450acc.exe	30
PID 2140 wrote to memory of 2936	2140	023fb29a93c3181bd9ca892142450acc.exe	30
PID 2140 wrote to memory of 2936	2140	023fb29a93c3181bd9ca892142450acc.exe	30

C:\Users\Admin\AppData\Local\Temp\023fb29a93c3181bd9ca892142450acc.exe
"C:\Users\Admin\AppData\Local\Temp\023fb29a93c3181bd9ca892142450acc.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1584
  2⤵
  - Program crash
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2140-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2140-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2140-3-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2140-4-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2140-24-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2140-28-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads