79a7f0cde1e099397e5095a9daf42a23b1243fbf7845b1f50f64e3b5a3bded62

Analysis

max time kernel
159s
max time network
80s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01dc371ca646617199c8e6f5decaa345.exe
Size

736KB
MD5

01dc371ca646617199c8e6f5decaa345
SHA1

ef38d9544529752373950c8e157942f5da3bee3c
SHA256

79a7f0cde1e099397e5095a9daf42a23b1243fbf7845b1f50f64e3b5a3bded62
SHA512

c07ae16bed70fdcd687f6061467ecb351922bad25cf31c7e92e29c33c848ca1eef703f242c6076a14a7a076a6989d25bf339449ad1460450df8fa8d96d28f5d1
SSDEEP

12288:WjZo5O8SWl7/E4ZKJkwWCsA2xhinN4eOKj+iuG4/oCVZK6VBOyaW1K3Dnseo:6ow8tJXUawWFAkgNLOUSoV62yaW4Dse

Score

6^/10

bootkit persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\alxhelper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01dc371ca646617199c8e6f5decaa345.exe /autostart"	01dc371ca646617199c8e6f5decaa345.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	01dc371ca646617199c8e6f5decaa345.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	01dc371ca646617199c8e6f5decaa345.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	01dc371ca646617199c8e6f5decaa345.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	01dc371ca646617199c8e6f5decaa345.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	01dc371ca646617199c8e6f5decaa345.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2736	01dc371ca646617199c8e6f5decaa345.exe
2736	01dc371ca646617199c8e6f5decaa345.exe
2736	01dc371ca646617199c8e6f5decaa345.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2736	01dc371ca646617199c8e6f5decaa345.exe
2736	01dc371ca646617199c8e6f5decaa345.exe
2736	01dc371ca646617199c8e6f5decaa345.exe

C:\Users\Admin\AppData\Local\Temp\01dc371ca646617199c8e6f5decaa345.exe
"C:\Users\Admin\AppData\Local\Temp\01dc371ca646617199c8e6f5decaa345.exe"
1⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2736-0-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2736-1-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/2736-2-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2736-5-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2736-18-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2736-38-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2736-58-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2736-57-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2736-60-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2736-59-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2736-56-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/2736-55-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/2736-54-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2736-53-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2736-52-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/2736-51-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/2736-50-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2736-49-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2736-48-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2736-47-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2736-61-0x00000000751E0000-0x00000000752F0000-memory.dmp

Filesize
1.1MB

Download
memory/2736-66-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/2736-65-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2736-64-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2736-63-0x00000000771FF000-0x0000000077200000-memory.dmp

Filesize
4KB

Download
memory/2736-62-0x00000000751E0000-0x00000000752F0000-memory.dmp

Filesize
1.1MB

Download
memory/2736-46-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2736-45-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2736-44-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2736-43-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2736-42-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2736-41-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2736-40-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2736-39-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2736-37-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/2736-36-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2736-35-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2736-34-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2736-33-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2736-32-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2736-31-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2736-30-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2736-29-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2736-28-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2736-27-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2736-26-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2736-25-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2736-24-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2736-23-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2736-22-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2736-21-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2736-20-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2736-19-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2736-17-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2736-16-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2736-15-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2736-14-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2736-13-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2736-12-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2736-11-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2736-10-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2736-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2736-8-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2736-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2736-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2736-3-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2736-96-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2736-98-0x00000000752F0000-0x00000000754B4000-memory.dmp

Filesize
1.8MB

Download
memory/2736-99-0x0000000075810000-0x000000007645A000-memory.dmp

Filesize
12.3MB

Download
memory/2736-102-0x00000000752F0000-0x00000000754B4000-memory.dmp

Filesize
1.8MB

Download
memory/2736-106-0x00000000752F0000-0x00000000754B4000-memory.dmp

Filesize
1.8MB

Download
memory/2736-109-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2736-111-0x00000000752F0000-0x00000000754B4000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads