Analysis
-
max time kernel
112s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 11:40
Behavioral task
behavioral1
Sample
34bd979a5736b1db8e1e6a2997799849.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
34bd979a5736b1db8e1e6a2997799849.exe
Resource
win10v2004-20231222-en
7 signatures
150 seconds
General
-
Target
34bd979a5736b1db8e1e6a2997799849.exe
-
Size
12.4MB
-
MD5
34bd979a5736b1db8e1e6a2997799849
-
SHA1
cfe494b29d900380a38e5b9b9f3a682b13189f3e
-
SHA256
642089fce33eb91116a4fef4930b12cf30783b94e2148d003147a59c0e767eb4
-
SHA512
4425ff98a3e7cd726a15dd3b35c50e0aaca582a3bad60bf70437b2d41255b2c856c558c658a1781fe64dc01e067731b28ca65f0fb39ba41dc7a089ed9809e26e
-
SSDEEP
196608:h/R216Ubma/yXLeRQNIi3c1BvqMpk/wNcn921c2UZGaU0OfqAXJw0IR1v+L+p0df:FElhRQOi6wypC921cSa9Dmw0Wt+BN
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2592-2-0x0000000000400000-0x0000000001B60000-memory.dmp vmprotect behavioral1/memory/2592-7-0x0000000000400000-0x0000000001B60000-memory.dmp vmprotect behavioral1/memory/2592-48-0x0000000000400000-0x0000000001B60000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 34bd979a5736b1db8e1e6a2997799849.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2592 34bd979a5736b1db8e1e6a2997799849.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2592 34bd979a5736b1db8e1e6a2997799849.exe 2592 34bd979a5736b1db8e1e6a2997799849.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 768 wmic.exe Token: SeSecurityPrivilege 768 wmic.exe Token: SeTakeOwnershipPrivilege 768 wmic.exe Token: SeLoadDriverPrivilege 768 wmic.exe Token: SeSystemProfilePrivilege 768 wmic.exe Token: SeSystemtimePrivilege 768 wmic.exe Token: SeProfSingleProcessPrivilege 768 wmic.exe Token: SeIncBasePriorityPrivilege 768 wmic.exe Token: SeCreatePagefilePrivilege 768 wmic.exe Token: SeBackupPrivilege 768 wmic.exe Token: SeRestorePrivilege 768 wmic.exe Token: SeShutdownPrivilege 768 wmic.exe Token: SeDebugPrivilege 768 wmic.exe Token: SeSystemEnvironmentPrivilege 768 wmic.exe Token: SeRemoteShutdownPrivilege 768 wmic.exe Token: SeUndockPrivilege 768 wmic.exe Token: SeManageVolumePrivilege 768 wmic.exe Token: 33 768 wmic.exe Token: 34 768 wmic.exe Token: 35 768 wmic.exe Token: SeIncreaseQuotaPrivilege 768 wmic.exe Token: SeSecurityPrivilege 768 wmic.exe Token: SeTakeOwnershipPrivilege 768 wmic.exe Token: SeLoadDriverPrivilege 768 wmic.exe Token: SeSystemProfilePrivilege 768 wmic.exe Token: SeSystemtimePrivilege 768 wmic.exe Token: SeProfSingleProcessPrivilege 768 wmic.exe Token: SeIncBasePriorityPrivilege 768 wmic.exe Token: SeCreatePagefilePrivilege 768 wmic.exe Token: SeBackupPrivilege 768 wmic.exe Token: SeRestorePrivilege 768 wmic.exe Token: SeShutdownPrivilege 768 wmic.exe Token: SeDebugPrivilege 768 wmic.exe Token: SeSystemEnvironmentPrivilege 768 wmic.exe Token: SeRemoteShutdownPrivilege 768 wmic.exe Token: SeUndockPrivilege 768 wmic.exe Token: SeManageVolumePrivilege 768 wmic.exe Token: 33 768 wmic.exe Token: 34 768 wmic.exe Token: 35 768 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2592 34bd979a5736b1db8e1e6a2997799849.exe 2592 34bd979a5736b1db8e1e6a2997799849.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2592 wrote to memory of 768 2592 34bd979a5736b1db8e1e6a2997799849.exe 29 PID 2592 wrote to memory of 768 2592 34bd979a5736b1db8e1e6a2997799849.exe 29 PID 2592 wrote to memory of 768 2592 34bd979a5736b1db8e1e6a2997799849.exe 29 PID 2592 wrote to memory of 768 2592 34bd979a5736b1db8e1e6a2997799849.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\34bd979a5736b1db8e1e6a2997799849.exe"C:\Users\Admin\AppData\Local\Temp\34bd979a5736b1db8e1e6a2997799849.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:768
-