Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 11:35
Behavioral task
behavioral1
Sample
348bd8e727dcb132356b290af0cd8568.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
348bd8e727dcb132356b290af0cd8568.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
348bd8e727dcb132356b290af0cd8568.exe
-
Size
12.3MB
-
MD5
348bd8e727dcb132356b290af0cd8568
-
SHA1
71c22794e84e84bc56b54ab54fab3e084d5e34c2
-
SHA256
6b2b6955d0e31d62a112333dba7f41459bf67ca22342cab665b458ab01fa3b70
-
SHA512
3b0c18ee17aa3f07619bc2ff141fdcea05dc627d056ae3d6e52af223d3e2eed9f0c1494bb9e9e51882e64a74b5dba598c52fef70c9d88298714b8873e800d6b7
-
SSDEEP
196608:F3hS+VyWUQ10FidX65wy3zfBl3yDA7h1cGmCmtvyspKd+ZHrAY6fj3KfhhCkv2WC:rV58Cy3rBRrbkzE+Fr4zKJhCkv2Wapl
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2432-3-0x0000000000400000-0x0000000001B43000-memory.dmp vmprotect behavioral1/memory/2432-11-0x0000000000400000-0x0000000001B43000-memory.dmp vmprotect behavioral1/memory/2432-48-0x0000000000400000-0x0000000001B43000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 348bd8e727dcb132356b290af0cd8568.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2432 348bd8e727dcb132356b290af0cd8568.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2432 348bd8e727dcb132356b290af0cd8568.exe 2432 348bd8e727dcb132356b290af0cd8568.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2224 wmic.exe Token: SeSecurityPrivilege 2224 wmic.exe Token: SeTakeOwnershipPrivilege 2224 wmic.exe Token: SeLoadDriverPrivilege 2224 wmic.exe Token: SeSystemProfilePrivilege 2224 wmic.exe Token: SeSystemtimePrivilege 2224 wmic.exe Token: SeProfSingleProcessPrivilege 2224 wmic.exe Token: SeIncBasePriorityPrivilege 2224 wmic.exe Token: SeCreatePagefilePrivilege 2224 wmic.exe Token: SeBackupPrivilege 2224 wmic.exe Token: SeRestorePrivilege 2224 wmic.exe Token: SeShutdownPrivilege 2224 wmic.exe Token: SeDebugPrivilege 2224 wmic.exe Token: SeSystemEnvironmentPrivilege 2224 wmic.exe Token: SeRemoteShutdownPrivilege 2224 wmic.exe Token: SeUndockPrivilege 2224 wmic.exe Token: SeManageVolumePrivilege 2224 wmic.exe Token: 33 2224 wmic.exe Token: 34 2224 wmic.exe Token: 35 2224 wmic.exe Token: SeIncreaseQuotaPrivilege 2224 wmic.exe Token: SeSecurityPrivilege 2224 wmic.exe Token: SeTakeOwnershipPrivilege 2224 wmic.exe Token: SeLoadDriverPrivilege 2224 wmic.exe Token: SeSystemProfilePrivilege 2224 wmic.exe Token: SeSystemtimePrivilege 2224 wmic.exe Token: SeProfSingleProcessPrivilege 2224 wmic.exe Token: SeIncBasePriorityPrivilege 2224 wmic.exe Token: SeCreatePagefilePrivilege 2224 wmic.exe Token: SeBackupPrivilege 2224 wmic.exe Token: SeRestorePrivilege 2224 wmic.exe Token: SeShutdownPrivilege 2224 wmic.exe Token: SeDebugPrivilege 2224 wmic.exe Token: SeSystemEnvironmentPrivilege 2224 wmic.exe Token: SeRemoteShutdownPrivilege 2224 wmic.exe Token: SeUndockPrivilege 2224 wmic.exe Token: SeManageVolumePrivilege 2224 wmic.exe Token: 33 2224 wmic.exe Token: 34 2224 wmic.exe Token: 35 2224 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2432 348bd8e727dcb132356b290af0cd8568.exe 2432 348bd8e727dcb132356b290af0cd8568.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2224 2432 348bd8e727dcb132356b290af0cd8568.exe 28 PID 2432 wrote to memory of 2224 2432 348bd8e727dcb132356b290af0cd8568.exe 28 PID 2432 wrote to memory of 2224 2432 348bd8e727dcb132356b290af0cd8568.exe 28 PID 2432 wrote to memory of 2224 2432 348bd8e727dcb132356b290af0cd8568.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\348bd8e727dcb132356b290af0cd8568.exe"C:\Users\Admin\AppData\Local\Temp\348bd8e727dcb132356b290af0cd8568.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224
-