51cd14c4a8482edb9a81f7037b927cc43194543e7a82a73ecf9b8eddddf67354

Analysis

max time kernel
184s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d911b3b1cc9a41b6b94d95f778df1a7.exe
Size

520KB
MD5

4d911b3b1cc9a41b6b94d95f778df1a7
SHA1

11766a112a05c64951b0226d700f4d3864493811
SHA256

51cd14c4a8482edb9a81f7037b927cc43194543e7a82a73ecf9b8eddddf67354
SHA512

93347a38cdcd277cf093d6f5af762dcbafb1b72705e45bf198b1cac2d6c27b17e58f2ff2404439f7ed397c7b63d70e1b9a4d35e451c29b89c284eee5326398c5
SSDEEP

6144:TeTs0hGq2xVCbmDLuO+AT3pUh5/ZAGjPBjFJF:/0Eq2x1fu6uVPBLF

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1908	svchost.exe
2968	svchost.exe
1736	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2596	4d911b3b1cc9a41b6b94d95f778df1a7.exe
2596	4d911b3b1cc9a41b6b94d95f778df1a7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	4d911b3b1cc9a41b6b94d95f778df1a7.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe
File opened for modification	\??\PhysicalDrive0	4d911b3b1cc9a41b6b94d95f778df1a7.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2756 set thread context of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 1908 set thread context of 2968	1908	svchost.exe	32
PID 2968 set thread context of 1736	2968	svchost.exe	33

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe
2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe
1908	svchost.exe
2968	svchost.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2812 wrote to memory of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2812 wrote to memory of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2812 wrote to memory of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2812 wrote to memory of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2812 wrote to memory of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2812 wrote to memory of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2812 wrote to memory of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2812 wrote to memory of 2756	2812	4d911b3b1cc9a41b6b94d95f778df1a7.exe	29
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2756 wrote to memory of 2596	2756	4d911b3b1cc9a41b6b94d95f778df1a7.exe	30
PID 2596 wrote to memory of 1908	2596	4d911b3b1cc9a41b6b94d95f778df1a7.exe	31
PID 2596 wrote to memory of 1908	2596	4d911b3b1cc9a41b6b94d95f778df1a7.exe	31
PID 2596 wrote to memory of 1908	2596	4d911b3b1cc9a41b6b94d95f778df1a7.exe	31
PID 2596 wrote to memory of 1908	2596	4d911b3b1cc9a41b6b94d95f778df1a7.exe	31
PID 1908 wrote to memory of 2968	1908	svchost.exe	32
PID 1908 wrote to memory of 2968	1908	svchost.exe	32
PID 1908 wrote to memory of 2968	1908	svchost.exe	32
PID 1908 wrote to memory of 2968	1908	svchost.exe	32
PID 1908 wrote to memory of 2968	1908	svchost.exe	32
PID 1908 wrote to memory of 2968	1908	svchost.exe	32
PID 1908 wrote to memory of 2968	1908	svchost.exe	32
PID 1908 wrote to memory of 2968	1908	svchost.exe	32
PID 1908 wrote to memory of 2968	1908	svchost.exe	32
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33
PID 2968 wrote to memory of 1736	2968	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\4d911b3b1cc9a41b6b94d95f778df1a7.exe
"C:\Users\Admin\AppData\Local\Temp\4d911b3b1cc9a41b6b94d95f778df1a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\4d911b3b1cc9a41b6b94d95f778df1a7.exe
  "C:\Users\Admin\AppData\Local\Temp\4d911b3b1cc9a41b6b94d95f778df1a7.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\4d911b3b1cc9a41b6b94d95f778df1a7.exe
    "C:\Users\Admin\AppData\Local\Temp\4d911b3b1cc9a41b6b94d95f778df1a7.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        6⤵
        Executes dropped EXE
        
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
227KB

MD5
8ecd2f047f09a456b4faa94ede8b4be4

SHA1
b150ed8b08561bdf5aea13188a9f9105fd9e4e85

SHA256
1167f7ccebcf15ffbd6fdc2eb5b799f8c871e002e4c98a1840dbe24e7c15d8f3

SHA512
64dd973d0915700e9303565e27dbb15873538e1e5a04ac3c4b41527a012ca2842386a38ff828f761822441f5ec71102df2e8dcf20ac9b66744bd19d129cdfcc0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
520KB

MD5
4d911b3b1cc9a41b6b94d95f778df1a7

SHA1
11766a112a05c64951b0226d700f4d3864493811

SHA256
51cd14c4a8482edb9a81f7037b927cc43194543e7a82a73ecf9b8eddddf67354

SHA512
93347a38cdcd277cf093d6f5af762dcbafb1b72705e45bf198b1cac2d6c27b17e58f2ff2404439f7ed397c7b63d70e1b9a4d35e451c29b89c284eee5326398c5

Download Submit
memory/1736-97-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1736-94-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-48-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-24-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-30-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-34-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2596-36-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2756-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2756-37-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2756-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2756-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2756-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2756-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-6-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2756-4-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2968-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2968-70-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads