0077fcfe9a6b37ccb94e65b822c612978eede111ef57ae4bca3d118126b5b0a3

Analysis

max time kernel
0s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b964c1d84755f8411fe470d809d6b14.exe
Size

236KB
MD5

3b964c1d84755f8411fe470d809d6b14
SHA1

214a53d7a11ddaedc37843c7ca211ecea267fdb1
SHA256

0077fcfe9a6b37ccb94e65b822c612978eede111ef57ae4bca3d118126b5b0a3
SHA512

67ce7cb8f4c27e36e58ff7f96c185d092ffe3f5d2b63a37f080c0e7d209a67d2f9c0c0c384628fea4373b897e17165de723a1cc0829e6cc943cf01c1b22404f2
SSDEEP

3072:SlELL7XOCw0xQCdMey44tVkZj+8FzB7C1XWLmjPUXiYR8Pyqs59xP72NnYnoZO48:p3kOMeaavF17EP6qyqsa2AO4pi

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/816-0-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/816-61-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/816-62-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/816-67-0x0000000000400000-0x0000000000488000-memory.dmp	upx
behavioral1/memory/816-68-0x0000000000400000-0x0000000000488000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\u:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\v:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\q:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\w:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\z:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\e:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\g:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\h:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\l:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\m:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\j:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\k:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\p:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\r:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\y:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\n:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\o:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\s:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\t:	3b964c1d84755f8411fe470d809d6b14.exe
File opened (read-only)	\??\x:	3b964c1d84755f8411fe470d809d6b14.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	3b964c1d84755f8411fe470d809d6b14.exe

C:\Users\Admin\AppData\Local\Temp\3b964c1d84755f8411fe470d809d6b14.exe
"C:\Users\Admin\AppData\Local\Temp\3b964c1d84755f8411fe470d809d6b14.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab19AA.tmp

Filesize
18KB

MD5
331f95e2b50594fa3a730915b079dfa1

SHA1
aa7d1b3a26b5ecfec6d05c056397e6d8a744a7d3

SHA256
d15cb12dbbb74d62238cd7454b6e62d810db996f85a639c2813794d2c9a2b8ea

SHA512
880ed71db429e39bbf2bf0ffe990d2df71a8d6ca58de4a97ecf2878ae2dfd29c5454dbfc346e8f49c59e37a59d92449571bb8e3f8eb07fb78f10bf98fe3c9f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19CD.tmp

Filesize
19KB

MD5
010e65af5583d2f1ec46cc64ccea9a2b

SHA1
c312b448077798d1e97674770238ff318b5d010a

SHA256
67105e94d64fde18b0238614f0508937460cd3ea3fe6d0202b3d0b0042845c08

SHA512
2e0c8683e5879bff22ded778c92eb6eea825e3aefb8708b335cca98a80c75cf5b70e846b8030c35f15c4caf789de72dbf35304e5c3cf5c1b4c49d24b4302e84b

Download Submit
memory/816-0-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/816-61-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/816-62-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/816-67-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/816-68-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads