Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 11:40
Behavioral task
behavioral1
Sample
34bd979a5736b1db8e1e6a2997799849.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
34bd979a5736b1db8e1e6a2997799849.exe
Resource
win10v2004-20231222-en
7 signatures
150 seconds
General
-
Target
34bd979a5736b1db8e1e6a2997799849.exe
-
Size
12.4MB
-
MD5
34bd979a5736b1db8e1e6a2997799849
-
SHA1
cfe494b29d900380a38e5b9b9f3a682b13189f3e
-
SHA256
642089fce33eb91116a4fef4930b12cf30783b94e2148d003147a59c0e767eb4
-
SHA512
4425ff98a3e7cd726a15dd3b35c50e0aaca582a3bad60bf70437b2d41255b2c856c558c658a1781fe64dc01e067731b28ca65f0fb39ba41dc7a089ed9809e26e
-
SSDEEP
196608:h/R216Ubma/yXLeRQNIi3c1BvqMpk/wNcn921c2UZGaU0OfqAXJw0IR1v+L+p0df:FElhRQOi6wypC921cSa9Dmw0Wt+BN
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2836-10-0x0000000000400000-0x0000000001B60000-memory.dmp vmprotect behavioral2/memory/2836-4-0x0000000000400000-0x0000000001B60000-memory.dmp vmprotect behavioral2/memory/2836-15-0x0000000000400000-0x0000000001B60000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 34bd979a5736b1db8e1e6a2997799849.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2836 34bd979a5736b1db8e1e6a2997799849.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2836 34bd979a5736b1db8e1e6a2997799849.exe 2836 34bd979a5736b1db8e1e6a2997799849.exe 2836 34bd979a5736b1db8e1e6a2997799849.exe 2836 34bd979a5736b1db8e1e6a2997799849.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4996 wmic.exe Token: SeSecurityPrivilege 4996 wmic.exe Token: SeTakeOwnershipPrivilege 4996 wmic.exe Token: SeLoadDriverPrivilege 4996 wmic.exe Token: SeSystemProfilePrivilege 4996 wmic.exe Token: SeSystemtimePrivilege 4996 wmic.exe Token: SeProfSingleProcessPrivilege 4996 wmic.exe Token: SeIncBasePriorityPrivilege 4996 wmic.exe Token: SeCreatePagefilePrivilege 4996 wmic.exe Token: SeBackupPrivilege 4996 wmic.exe Token: SeRestorePrivilege 4996 wmic.exe Token: SeShutdownPrivilege 4996 wmic.exe Token: SeDebugPrivilege 4996 wmic.exe Token: SeSystemEnvironmentPrivilege 4996 wmic.exe Token: SeRemoteShutdownPrivilege 4996 wmic.exe Token: SeUndockPrivilege 4996 wmic.exe Token: SeManageVolumePrivilege 4996 wmic.exe Token: 33 4996 wmic.exe Token: 34 4996 wmic.exe Token: 35 4996 wmic.exe Token: 36 4996 wmic.exe Token: SeIncreaseQuotaPrivilege 4996 wmic.exe Token: SeSecurityPrivilege 4996 wmic.exe Token: SeTakeOwnershipPrivilege 4996 wmic.exe Token: SeLoadDriverPrivilege 4996 wmic.exe Token: SeSystemProfilePrivilege 4996 wmic.exe Token: SeSystemtimePrivilege 4996 wmic.exe Token: SeProfSingleProcessPrivilege 4996 wmic.exe Token: SeIncBasePriorityPrivilege 4996 wmic.exe Token: SeCreatePagefilePrivilege 4996 wmic.exe Token: SeBackupPrivilege 4996 wmic.exe Token: SeRestorePrivilege 4996 wmic.exe Token: SeShutdownPrivilege 4996 wmic.exe Token: SeDebugPrivilege 4996 wmic.exe Token: SeSystemEnvironmentPrivilege 4996 wmic.exe Token: SeRemoteShutdownPrivilege 4996 wmic.exe Token: SeUndockPrivilege 4996 wmic.exe Token: SeManageVolumePrivilege 4996 wmic.exe Token: 33 4996 wmic.exe Token: 34 4996 wmic.exe Token: 35 4996 wmic.exe Token: 36 4996 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2836 34bd979a5736b1db8e1e6a2997799849.exe 2836 34bd979a5736b1db8e1e6a2997799849.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2836 wrote to memory of 4996 2836 34bd979a5736b1db8e1e6a2997799849.exe 52 PID 2836 wrote to memory of 4996 2836 34bd979a5736b1db8e1e6a2997799849.exe 52 PID 2836 wrote to memory of 4996 2836 34bd979a5736b1db8e1e6a2997799849.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\34bd979a5736b1db8e1e6a2997799849.exe"C:\Users\Admin\AppData\Local\Temp\34bd979a5736b1db8e1e6a2997799849.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996
-