69fc82751a45a699441f5637060cdfa646ebc6425c6b9dbb40d9dd1d51f668bd

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 02:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DigitalSignCheck.exe
Size

283KB
MD5

7706d2553bdd172f37f84d80eda9d280
SHA1

6c8345339601d05c9146e686422cfc3255a8ecd8
SHA256

948755ae43815b0dba243df3b603ac52033154d024329c38a4306243494ca20a
SHA512

e2941012fa4ce079d618d18a0fbae39fe19b70ced255667f11141cb87629aaa3bee53f402d652fde7c2b679ffd726b64bc97bb65ffe21f9d6cd08f67c194c1fd
SSDEEP

6144:psHAbjkAhKUs3W3E+nsn9QJKw1wvP6bQ7yMP+DE827i:psHAcQPsnuJKZ6b7MP+Dd2e

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DigitalSignCheck.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	DigitalSignCheck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	DigitalSignCheck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	DigitalSignCheck.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1328	DigitalSignCheck.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1328	DigitalSignCheck.exe
1328	DigitalSignCheck.exe

C:\Users\Admin\AppData\Local\Temp\DigitalSignCheck.exe
"C:\Users\Admin\AppData\Local\Temp\DigitalSignCheck.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1328-1-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/1328-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1328-9-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1328-7-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1328-6-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1328-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1328-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1328-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1328-2-0x0000000000270000-0x0000000000273000-memory.dmp

Filesize
12KB

Download
memory/1328-10-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1328-11-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads