Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 11:55
Behavioral task
behavioral1
Sample
353731ae9dda7ff1b817ebd3dcf19be0.exe
Resource
win7-20231129-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
353731ae9dda7ff1b817ebd3dcf19be0.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
353731ae9dda7ff1b817ebd3dcf19be0.exe
-
Size
12.3MB
-
MD5
353731ae9dda7ff1b817ebd3dcf19be0
-
SHA1
858553c037dabb406ffa63057e893ac3605d5cc7
-
SHA256
4534a3f8a8e037b838f888ef435840eb425d861984fc7e3ca0c4397a25181a3e
-
SHA512
abe4dedaa11ed997c225b0f825253ac289245028b9952cc05602529b40554d308c3f750b10c3971e24f1b49b3b411cc95cef7d4ff57eeb93dffcb016e1226e92
-
SSDEEP
196608:z1yN/m3XsFuQFDjT3jmu44gb39b5w0IbA17WDr2ZIF5q9bmJCoRtIx5E:hm/gXsFuQtaHb39brIbA17Ncq9bmJlIY
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3488-2-0x0000000000400000-0x0000000001B56000-memory.dmp vmprotect behavioral2/memory/3488-8-0x0000000000400000-0x0000000001B56000-memory.dmp vmprotect behavioral2/memory/3488-15-0x0000000000400000-0x0000000001B56000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 353731ae9dda7ff1b817ebd3dcf19be0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4768 wmic.exe Token: SeSecurityPrivilege 4768 wmic.exe Token: SeTakeOwnershipPrivilege 4768 wmic.exe Token: SeLoadDriverPrivilege 4768 wmic.exe Token: SeSystemProfilePrivilege 4768 wmic.exe Token: SeSystemtimePrivilege 4768 wmic.exe Token: SeProfSingleProcessPrivilege 4768 wmic.exe Token: SeIncBasePriorityPrivilege 4768 wmic.exe Token: SeCreatePagefilePrivilege 4768 wmic.exe Token: SeBackupPrivilege 4768 wmic.exe Token: SeRestorePrivilege 4768 wmic.exe Token: SeShutdownPrivilege 4768 wmic.exe Token: SeDebugPrivilege 4768 wmic.exe Token: SeSystemEnvironmentPrivilege 4768 wmic.exe Token: SeRemoteShutdownPrivilege 4768 wmic.exe Token: SeUndockPrivilege 4768 wmic.exe Token: SeManageVolumePrivilege 4768 wmic.exe Token: 33 4768 wmic.exe Token: 34 4768 wmic.exe Token: 35 4768 wmic.exe Token: 36 4768 wmic.exe Token: SeIncreaseQuotaPrivilege 4768 wmic.exe Token: SeSecurityPrivilege 4768 wmic.exe Token: SeTakeOwnershipPrivilege 4768 wmic.exe Token: SeLoadDriverPrivilege 4768 wmic.exe Token: SeSystemProfilePrivilege 4768 wmic.exe Token: SeSystemtimePrivilege 4768 wmic.exe Token: SeProfSingleProcessPrivilege 4768 wmic.exe Token: SeIncBasePriorityPrivilege 4768 wmic.exe Token: SeCreatePagefilePrivilege 4768 wmic.exe Token: SeBackupPrivilege 4768 wmic.exe Token: SeRestorePrivilege 4768 wmic.exe Token: SeShutdownPrivilege 4768 wmic.exe Token: SeDebugPrivilege 4768 wmic.exe Token: SeSystemEnvironmentPrivilege 4768 wmic.exe Token: SeRemoteShutdownPrivilege 4768 wmic.exe Token: SeUndockPrivilege 4768 wmic.exe Token: SeManageVolumePrivilege 4768 wmic.exe Token: 33 4768 wmic.exe Token: 34 4768 wmic.exe Token: 35 4768 wmic.exe Token: 36 4768 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3488 wrote to memory of 4768 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe 91 PID 3488 wrote to memory of 4768 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe 91 PID 3488 wrote to memory of 4768 3488 353731ae9dda7ff1b817ebd3dcf19be0.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\353731ae9dda7ff1b817ebd3dcf19be0.exe"C:\Users\Admin\AppData\Local\Temp\353731ae9dda7ff1b817ebd3dcf19be0.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4768
-