7d137500a274748d55ca9cf78ef1d98e008b7aa5d2073504ca7206f9bd38066d

Analysis

max time kernel
11s
max time network
34s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bdb39697d2f77aee1dc1bb696c0476b.exe
Size

396KB
MD5

1bdb39697d2f77aee1dc1bb696c0476b
SHA1

0f00c431b62d45921efd5fabcecea67fbd7a3f7f
SHA256

7d137500a274748d55ca9cf78ef1d98e008b7aa5d2073504ca7206f9bd38066d
SHA512

e7cc35d069e7c2e191f7944da59f8e6922df51cace8685ac463f082074c42c47853d920e8565503b6a5572a156f2734b4008c43c5b6919544e8b007b4139e7a6
SSDEEP

12288:1IV8UtK0uIb4kTp6b7MP+Dd2Uq/S6b7MP+Dd2wj:mM0rHs7MP+h2UAD7MP+h2+

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	1bdb39697d2f77aee1dc1bb696c0476b.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	1bdb39697d2f77aee1dc1bb696c0476b.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	1bdb39697d2f77aee1dc1bb696c0476b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	1bdb39697d2f77aee1dc1bb696c0476b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	1bdb39697d2f77aee1dc1bb696c0476b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1052	1bdb39697d2f77aee1dc1bb696c0476b.exe

C:\Users\Admin\AppData\Local\Temp\1bdb39697d2f77aee1dc1bb696c0476b.exe
"C:\Users\Admin\AppData\Local\Temp\1bdb39697d2f77aee1dc1bb696c0476b.exe"
1⤵
- Drops file in Drivers directory
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1052-1-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1052-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1052-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1052-8-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1052-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1052-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1052-2-0x0000000000290000-0x0000000000293000-memory.dmp

Filesize
12KB

Download