b53e2621741d5018ba587c1bd993e1f489976376342c7be05c1dfa464b524d6e

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66220981e412954659871d15d3233aa5.exe
Size

545KB
MD5

66220981e412954659871d15d3233aa5
SHA1

58b4edb45aa4d82bdad5a95e291d88edf059362f
SHA256

b53e2621741d5018ba587c1bd993e1f489976376342c7be05c1dfa464b524d6e
SHA512

d8add1749dae553e2b64bf662b3a896e0f01bd4470684dc5df3540a7c31dcecdd6117a6aea5bba10325620e43689836f17e26227ed740bf536fee740d2792ef9
SSDEEP

12288:x1Ra1rN4wopVauKAxZkhwryINtTirdor2vzFyq:xDrp4XAx+hwrywTEdoSvo

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2428	EntSver.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	66220981e412954659871d15d3233aa5.exe
File opened for modification	\??\PhysicalDrive0	EntSver.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DCRXPX.DAT	66220981e412954659871d15d3233aa5.exe
File created	C:\Windows\EntSver.exe	66220981e412954659871d15d3233aa5.exe
File opened for modification	C:\Windows\EntSver.exe	66220981e412954659871d15d3233aa5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	66220981e412954659871d15d3233aa5.exe
Token: SeDebugPrivilege	2428	EntSver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2428	EntSver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2428	EntSver.exe
2428	EntSver.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2936	2428	EntSver.exe	14
PID 2428 wrote to memory of 2936	2428	EntSver.exe	14
PID 2428 wrote to memory of 2936	2428	EntSver.exe	14
PID 2428 wrote to memory of 2936	2428	EntSver.exe	14

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:2936

C:\Windows\EntSver.exe
C:\Windows\EntSver.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\66220981e412954659871d15d3233aa5.exe
"C:\Users\Admin\AppData\Local\Temp\66220981e412954659871d15d3233aa5.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DCRXPX.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\EntSver.exe

Filesize
545KB

MD5
66220981e412954659871d15d3233aa5

SHA1
58b4edb45aa4d82bdad5a95e291d88edf059362f

SHA256
b53e2621741d5018ba587c1bd993e1f489976376342c7be05c1dfa464b524d6e

SHA512
d8add1749dae553e2b64bf662b3a896e0f01bd4470684dc5df3540a7c31dcecdd6117a6aea5bba10325620e43689836f17e26227ed740bf536fee740d2792ef9

Download Submit
memory/1340-1-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1340-66-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/1340-65-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1340-64-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/1340-63-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1340-62-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/1340-61-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/1340-60-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1340-59-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1340-58-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/1340-57-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/1340-56-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1340-55-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1340-54-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1340-53-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1340-52-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1340-51-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1340-50-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1340-49-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1340-48-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1340-47-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1340-46-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1340-45-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1340-44-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1340-43-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1340-42-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1340-41-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1340-40-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1340-39-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1340-38-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1340-37-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1340-36-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1340-35-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1340-34-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1340-33-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/1340-29-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/1340-28-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1340-27-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1340-26-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1340-25-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1340-24-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1340-23-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/1340-22-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1340-21-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/1340-20-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1340-19-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1340-18-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1340-17-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1340-16-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/1340-15-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1340-14-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/1340-13-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/1340-12-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1340-11-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/1340-10-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1340-9-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/1340-8-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1340-7-0x0000000001E70000-0x0000000001E73000-memory.dmp

Filesize
12KB

Download
memory/1340-6-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1340-5-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1340-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1340-3-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1340-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1340-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1340-154-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2428-123-0x0000000003410000-0x0000000003422000-memory.dmp

Filesize
72KB

Download
memory/2428-160-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2428-171-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads