Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 11:35
Behavioral task
behavioral1
Sample
348bd8e727dcb132356b290af0cd8568.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
348bd8e727dcb132356b290af0cd8568.exe
Resource
win10v2004-20231215-en
7 signatures
150 seconds
General
-
Target
348bd8e727dcb132356b290af0cd8568.exe
-
Size
12.3MB
-
MD5
348bd8e727dcb132356b290af0cd8568
-
SHA1
71c22794e84e84bc56b54ab54fab3e084d5e34c2
-
SHA256
6b2b6955d0e31d62a112333dba7f41459bf67ca22342cab665b458ab01fa3b70
-
SHA512
3b0c18ee17aa3f07619bc2ff141fdcea05dc627d056ae3d6e52af223d3e2eed9f0c1494bb9e9e51882e64a74b5dba598c52fef70c9d88298714b8873e800d6b7
-
SSDEEP
196608:F3hS+VyWUQ10FidX65wy3zfBl3yDA7h1cGmCmtvyspKd+ZHrAY6fj3KfhhCkv2WC:rV58Cy3rBRrbkzE+Fr4zKJhCkv2Wapl
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/224-3-0x0000000000400000-0x0000000001B43000-memory.dmp vmprotect behavioral2/memory/224-7-0x0000000000400000-0x0000000001B43000-memory.dmp vmprotect behavioral2/memory/224-16-0x0000000000400000-0x0000000001B43000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 348bd8e727dcb132356b290af0cd8568.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 224 348bd8e727dcb132356b290af0cd8568.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 224 348bd8e727dcb132356b290af0cd8568.exe 224 348bd8e727dcb132356b290af0cd8568.exe 224 348bd8e727dcb132356b290af0cd8568.exe 224 348bd8e727dcb132356b290af0cd8568.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 320 wmic.exe Token: SeSecurityPrivilege 320 wmic.exe Token: SeTakeOwnershipPrivilege 320 wmic.exe Token: SeLoadDriverPrivilege 320 wmic.exe Token: SeSystemProfilePrivilege 320 wmic.exe Token: SeSystemtimePrivilege 320 wmic.exe Token: SeProfSingleProcessPrivilege 320 wmic.exe Token: SeIncBasePriorityPrivilege 320 wmic.exe Token: SeCreatePagefilePrivilege 320 wmic.exe Token: SeBackupPrivilege 320 wmic.exe Token: SeRestorePrivilege 320 wmic.exe Token: SeShutdownPrivilege 320 wmic.exe Token: SeDebugPrivilege 320 wmic.exe Token: SeSystemEnvironmentPrivilege 320 wmic.exe Token: SeRemoteShutdownPrivilege 320 wmic.exe Token: SeUndockPrivilege 320 wmic.exe Token: SeManageVolumePrivilege 320 wmic.exe Token: 33 320 wmic.exe Token: 34 320 wmic.exe Token: 35 320 wmic.exe Token: 36 320 wmic.exe Token: SeIncreaseQuotaPrivilege 320 wmic.exe Token: SeSecurityPrivilege 320 wmic.exe Token: SeTakeOwnershipPrivilege 320 wmic.exe Token: SeLoadDriverPrivilege 320 wmic.exe Token: SeSystemProfilePrivilege 320 wmic.exe Token: SeSystemtimePrivilege 320 wmic.exe Token: SeProfSingleProcessPrivilege 320 wmic.exe Token: SeIncBasePriorityPrivilege 320 wmic.exe Token: SeCreatePagefilePrivilege 320 wmic.exe Token: SeBackupPrivilege 320 wmic.exe Token: SeRestorePrivilege 320 wmic.exe Token: SeShutdownPrivilege 320 wmic.exe Token: SeDebugPrivilege 320 wmic.exe Token: SeSystemEnvironmentPrivilege 320 wmic.exe Token: SeRemoteShutdownPrivilege 320 wmic.exe Token: SeUndockPrivilege 320 wmic.exe Token: SeManageVolumePrivilege 320 wmic.exe Token: 33 320 wmic.exe Token: 34 320 wmic.exe Token: 35 320 wmic.exe Token: 36 320 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 224 348bd8e727dcb132356b290af0cd8568.exe 224 348bd8e727dcb132356b290af0cd8568.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 224 wrote to memory of 320 224 348bd8e727dcb132356b290af0cd8568.exe 93 PID 224 wrote to memory of 320 224 348bd8e727dcb132356b290af0cd8568.exe 93 PID 224 wrote to memory of 320 224 348bd8e727dcb132356b290af0cd8568.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\348bd8e727dcb132356b290af0cd8568.exe"C:\Users\Admin\AppData\Local\Temp\348bd8e727dcb132356b290af0cd8568.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:320
-