Overview

overview

7

Static

static

3

06c47cf3df...77.exe

windows7-x64

7

06c47cf3df...77.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06c47cf3df7f100abc63aa80d7425777.exe

  • Size

    166KB

  • MD5

    06c47cf3df7f100abc63aa80d7425777

  • SHA1

    9b585d49db5a6d981cc2f9539f64775ce8003241

  • SHA256

    3eb2fc23eff1be3bbb9cab96a3997e31593b7bd5156a4900f97aaf003d480aea

  • SHA512

    d1cbaeeb8e25da55cb36fd11bfbc4f568a0e7dcd33ee6a6be7d1614f4fa672ae10303f71c1fddc4be382e0535951777bb077ab699ad14612380e65c473ad4453

  • SSDEEP

    3072:XAx8geZlCK9Be4o9YvgHJIlUIvRayTpROse/dpQSWBFJxLd64ylyrWVeNPZ6V+jL:wxh+blvgpIlLRj1w7WHjc4iyrzgVUIT+

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777.exe
    "C:\Users\Admin\AppData\Local\Temp\06c47cf3df7f100abc63aa80d7425777.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c delplme.bat
      2⤵
      • Deletes itself
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\delplme.bat
    Filesize

    264B

    MD5

    3b9a8cee4ad37a5f0466d970f0226684

    SHA1

    3fccac70dc579ae09f1e99bb00abf29cbe674d0c

    SHA256

    0b806fcb9119497c8815a231a200028f97ae622c483af90fb612ba6831cdba72

    SHA512

    835438d20f4778f88283748120d86cd6690d2a3218faf55b36d4d45ea339ec1248a16dd6025d3a310f201d2db83786e8359f41949edce78d82708323ba6f19cd

    Download Submit

  • \Windows\SysWOW64\od3mdi.dll
    Filesize

    253KB

    MD5

    c773ac834e266391eee3572c4b42653e

    SHA1

    877c3703cebddc93b132deffec253d6bbda8ab67

    SHA256

    17a821c460aed05adda03dbce52a0709bf06872a08335c3ac313e2be71de1d77

    SHA512

    491317a7861714c44e1d79633e0ac1473c275bf53e2c56752003aaf64be2b6b1590114eb26e763e62d64c32368fa4fba0dc3801669e8a11bcf2cfbf50eb8f313

    Download Submit

  • memory/2584-0-0x0000000000400000-0x0000000000484719-memory.dmp

    Filesize

    529KB

    Download

  • memory/2584-2-0x0000000000400000-0x0000000000484719-memory.dmp

    Filesize

    529KB

    Download

  • memory/2584-4-0x00000000003B0000-0x00000000003FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2584-14-0x0000000000400000-0x0000000000484719-memory.dmp

    Filesize

    529KB

    Download