863508a1bf61baaec543b2c797dadd9e8cad5f3ab6a88bfbf16e3d1a5dc31371

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 04:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

278281650629a0d4989dd889017bec33.exe
Size

96KB
MD5

278281650629a0d4989dd889017bec33
SHA1

eafa0b49289881294cb01f7cd6f5d516513baf9e
SHA256

863508a1bf61baaec543b2c797dadd9e8cad5f3ab6a88bfbf16e3d1a5dc31371
SHA512

bf91aef41f54e9d8a3bac4897fe4e50aedd44f15a11f2cc12a6a301b6dfdf7538d25911e6f6292e86078ca666caec71a43f2b9f71cbdcc4787e6c520fe9cfafb
SSDEEP

1536:JWZYJMempRzD2q6JA1vMM5Js7B4kW/5Dv/rlK1V1flUmvgw89jVP:mpN9aQMqvz4Rf4w8X

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2236	CMD.exe

Executes dropped EXE 1 IoCs

pid	Process
3004	vji19C9.tmp

Loads dropped DLL 2 IoCs

pid	Process
1632	278281650629a0d4989dd889017bec33.exe
1632	278281650629a0d4989dd889017bec33.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	278281650629a0d4989dd889017bec33.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3032	PING.EXE
1324	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1632	278281650629a0d4989dd889017bec33.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2236	1632	278281650629a0d4989dd889017bec33.exe	28
PID 1632 wrote to memory of 2236	1632	278281650629a0d4989dd889017bec33.exe	28
PID 1632 wrote to memory of 2236	1632	278281650629a0d4989dd889017bec33.exe	28
PID 1632 wrote to memory of 2236	1632	278281650629a0d4989dd889017bec33.exe	28
PID 1632 wrote to memory of 3004	1632	278281650629a0d4989dd889017bec33.exe	30
PID 1632 wrote to memory of 3004	1632	278281650629a0d4989dd889017bec33.exe	30
PID 1632 wrote to memory of 3004	1632	278281650629a0d4989dd889017bec33.exe	30
PID 1632 wrote to memory of 3004	1632	278281650629a0d4989dd889017bec33.exe	30
PID 2236 wrote to memory of 3032	2236	CMD.exe	31
PID 2236 wrote to memory of 3032	2236	CMD.exe	31
PID 2236 wrote to memory of 3032	2236	CMD.exe	31
PID 2236 wrote to memory of 3032	2236	CMD.exe	31
PID 2236 wrote to memory of 1324	2236	CMD.exe	32
PID 2236 wrote to memory of 1324	2236	CMD.exe	32
PID 2236 wrote to memory of 1324	2236	CMD.exe	32
PID 2236 wrote to memory of 1324	2236	CMD.exe	32

C:\Users\Admin\AppData\Local\Temp\278281650629a0d4989dd889017bec33.exe
"C:\Users\Admin\AppData\Local\Temp\278281650629a0d4989dd889017bec33.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\CMD.exe
  CMD /C ""C:\Users\Admin\AppData\Local\Temp\vji19A8.cmd" "C:\Users\Admin\AppData\Local\Temp\278281650629a0d4989dd889017bec33.exe""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\PING.EXE
    ping 192.192.192.192 -n 1 -w 5000
    3⤵
    - Runs ping.exe
    PID:3032
- - C:\Windows\SysWOW64\PING.EXE
    ping 192.192.192.192 -n 1 -w 5000
    3⤵
    - Runs ping.exe
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\vji19C9.tmp
  "C:\Users\Admin\AppData\Local\Temp\vji19C9.tmp"
  2⤵
  - Executes dropped EXE
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vji19A8.cmd

Filesize
975B

MD5
969d8357542634ab8f5dd1b2054cedf1

SHA1
c84722c196462633452d26b3032c901dd7bdec23

SHA256
2a74e27085ea8acb3907e7774ca145dc4d69f0fd027a3052f25b0a27cac00999

SHA512
cc5cb0ec9efc0d65108f5bcb4c3dfa20151baa13afe4d055f381b95faaa21be069a56ee9b889d7964355d05f9e7a7103bd0aa46f6812944f1a21f31835be9f8b

Download Submit
\Users\Admin\AppData\Local\Temp\vji19C9.tmp

Filesize
4KB

MD5
b0a6c50c6733f6c0cc3ee6d78e354966

SHA1
985f5b06b6448482037410d9a055e8f706e59ab6

SHA256
ee70e04eebb74ba89620b860cb121c502aff5a5fef296599f35516c2e2291290

SHA512
fe60caf9f80d90e60ff6c506897e775348392c538c21cda393c7553e0c4d127c5af17b6d2dabbdea0f245e765eb622af7b11e602fd06756d3ff34bf7cf54600b

Download Submit
memory/1632-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1632-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads