Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 19:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
01a823460418a1d5a0cd5997fe965efc.exe
Resource
win7-20231215-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
01a823460418a1d5a0cd5997fe965efc.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
01a823460418a1d5a0cd5997fe965efc.exe
-
Size
20KB
-
MD5
01a823460418a1d5a0cd5997fe965efc
-
SHA1
5da6a505868fb3c389f24add492ca2a8c51f0996
-
SHA256
123b2825882b30a3118e63934c16ffb65a927906d6f3f6bbf3e61af824b37172
-
SHA512
d7b28364eb2ac003f05936215f795a5dc6ecbcc2d95fe6848380adca5bdf0dea06dd5cf5efe3c91bd461ce28ad44dc5a9b5b2d33e65cc60d1e5e484a0a0f9551
-
SSDEEP
384:xzHmhwJr+qaSXvDXPxa9TwK2usg3D1360rkb8Ex4f8nM:vxJdGTX5Ex4fZ
Score
6/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2764 2728 WerFault.exe 28 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 IEXPLORE.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2444 set thread context of 2728 2444 01a823460418a1d5a0cd5997fe965efc.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2728 IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2444 01a823460418a1d5a0cd5997fe965efc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2728 2444 01a823460418a1d5a0cd5997fe965efc.exe 28 PID 2444 wrote to memory of 2728 2444 01a823460418a1d5a0cd5997fe965efc.exe 28 PID 2444 wrote to memory of 2728 2444 01a823460418a1d5a0cd5997fe965efc.exe 28 PID 2444 wrote to memory of 2728 2444 01a823460418a1d5a0cd5997fe965efc.exe 28 PID 2444 wrote to memory of 2728 2444 01a823460418a1d5a0cd5997fe965efc.exe 28 PID 2444 wrote to memory of 2728 2444 01a823460418a1d5a0cd5997fe965efc.exe 28 PID 2444 wrote to memory of 2728 2444 01a823460418a1d5a0cd5997fe965efc.exe 28 PID 2444 wrote to memory of 2728 2444 01a823460418a1d5a0cd5997fe965efc.exe 28 PID 2728 wrote to memory of 2764 2728 IEXPLORE.EXE 29 PID 2728 wrote to memory of 2764 2728 IEXPLORE.EXE 29 PID 2728 wrote to memory of 2764 2728 IEXPLORE.EXE 29 PID 2728 wrote to memory of 2764 2728 IEXPLORE.EXE 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\01a823460418a1d5a0cd5997fe965efc.exe"C:\Users\Admin\AppData\Local\Temp\01a823460418a1d5a0cd5997fe965efc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1563⤵
- Program crash
PID:2764
-
-