5334219837264e564ab36dc45dc2ed810e6c2a7457be1a90d22d5eae99e1adf9

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9d6d3583a4fd55b0994c0820314660.exe
Size

444KB
MD5

0e9d6d3583a4fd55b0994c0820314660
SHA1

bc42dba7727415aa96484390defe2b5ecac9d5f5
SHA256

5334219837264e564ab36dc45dc2ed810e6c2a7457be1a90d22d5eae99e1adf9
SHA512

434dc36ffb45ee3950c76d52c8cfbe8de8673a03d232bbf1378f326f2665654674f38ae397855fe79821d4dcd446afe2e573baab4a6ddfa81f2a4998ffeade95
SSDEEP

12288:k9ett4w0flrnjErt2HD2LAgmWxKIPJGj96:k9ettd0fsxbCIBGp6

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
812	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	SverDLL.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0e9d6d3583a4fd55b0994c0820314660.exe
File opened for modification	\??\PhysicalDrive0	SverDLL.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SverDLL.exe	0e9d6d3583a4fd55b0994c0820314660.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	SverDLL.exe
File opened for modification	C:\Windows\SysWOW64\SverDLL.exe	SverDLL.exe
File opened for modification	C:\Windows\SysWOW64\ieapfltr.dat	0e9d6d3583a4fd55b0994c0820314660.exe
File created	C:\Windows\SysWOW64\SverDLL.exe	0e9d6d3583a4fd55b0994c0820314660.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\GUOCYOKl.BAT	0e9d6d3583a4fd55b0994c0820314660.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	0e9d6d3583a4fd55b0994c0820314660.exe
Token: SeDebugPrivilege	2548	SverDLL.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 812	2924	0e9d6d3583a4fd55b0994c0820314660.exe	29
PID 2924 wrote to memory of 812	2924	0e9d6d3583a4fd55b0994c0820314660.exe	29
PID 2924 wrote to memory of 812	2924	0e9d6d3583a4fd55b0994c0820314660.exe	29
PID 2924 wrote to memory of 812	2924	0e9d6d3583a4fd55b0994c0820314660.exe	29

C:\Users\Admin\AppData\Local\Temp\0e9d6d3583a4fd55b0994c0820314660.exe
"C:\Users\Admin\AppData\Local\Temp\0e9d6d3583a4fd55b0994c0820314660.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\GUOCYOKl.BAT
  2⤵
  - Deletes itself
  PID:812

C:\Windows\SysWOW64\SverDLL.exe
C:\Windows\SysWOW64\SverDLL.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GUOCYOKl.BAT

Filesize
190B

MD5
c271b57cdf2efdf373f2cf5afcb106b3

SHA1
1559ddc5e97efbb57909b91b91cf619a2a86296b

SHA256
1eefdc4b47a2bab39d6056913191b127b6b9f88432a49acf0e99897bbc447dcd

SHA512
6732d2312cc866361b07e9fb044452ae2d5cb7e30c9484861e10f3506f9bb7f41cd3664f52b5acb8c985da26dce19232ef59f991b1e65b15457be0c7762c70e1

Download Submit
C:\Windows\SysWOW64\SverDLL.exe

Filesize
444KB

MD5
0e9d6d3583a4fd55b0994c0820314660

SHA1
bc42dba7727415aa96484390defe2b5ecac9d5f5

SHA256
5334219837264e564ab36dc45dc2ed810e6c2a7457be1a90d22d5eae99e1adf9

SHA512
434dc36ffb45ee3950c76d52c8cfbe8de8673a03d232bbf1378f326f2665654674f38ae397855fe79821d4dcd446afe2e573baab4a6ddfa81f2a4998ffeade95

Download Submit
memory/2924-0-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2924-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2924-2-0x0000000000570000-0x00000000005B3000-memory.dmp

Filesize
268KB

Download
memory/2924-11-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2924-12-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2924-10-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2924-9-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2924-8-0x0000000000610000-0x0000000000613000-memory.dmp

Filesize
12KB

Download
memory/2924-7-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2924-6-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2924-5-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2924-4-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2924-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2924-26-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2924-65-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2924-64-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/2924-63-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/2924-62-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/2924-61-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2924-60-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2924-59-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2924-58-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/2924-57-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/2924-56-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/2924-55-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/2924-54-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/2924-53-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/2924-52-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/2924-51-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2924-50-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/2924-49-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/2924-48-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2924-47-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2924-46-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2924-45-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2924-44-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/2924-43-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2924-42-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2924-41-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2924-40-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2924-39-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2924-38-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2924-37-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2924-36-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2924-35-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2924-34-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2924-33-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2924-32-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2924-31-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2924-30-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2924-29-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2924-28-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2924-27-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2924-25-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/2924-24-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2924-23-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2924-22-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2924-21-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2924-20-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2924-19-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2924-18-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2924-17-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/2924-16-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2924-13-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads