b23cb04afe59fee16c95ef5d24a67cb493d4ea88b62f6996e54493548acad6c2

Analysis

max time kernel
48s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe
Size

163KB
MD5

f435c9ea441e60844f6cd74a3d7510c1
SHA1

8cf5e06091086822efea0e6e1d3acdaee6c56f95
SHA256

54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff
SHA512

c529064ec99ead01fa97ba0e309cbf5c8d263a3537605115a884e888a2ef1865691216eb96c8f6ca023d41ec74041cc9128dacca51e2d9585e7e10e6eb914e6c
SSDEEP

3072:00tTiVVFj3dTcAskPC+G4+6mIc4RmwE4j2lmm4c+JttZOKih7bDHLLbD:0VVLTnq+upI5Rmww/GtZObvbD

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe
Drops file in Windows directory 1 IoCs

Processes:

vds.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.dev.log vds.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	vds.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vds.exe

description	pid	process
Token: SeLoadDriverPrivilege	2300	vds.exe
Token: SeLoadDriverPrivilege	2300	vds.exe
Token: SeLoadDriverPrivilege	2300	vds.exe
Token: SeLoadDriverPrivilege	2300	vds.exe
Token: SeLoadDriverPrivilege	2300	vds.exe
Token: SeLoadDriverPrivilege	2300	vds.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.execmd.execmd.exe

description	pid	process	target process
PID 2664 wrote to memory of 388	2664	54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe	cmd.exe
PID 2664 wrote to memory of 388	2664	54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe	cmd.exe
PID 388 wrote to memory of 3920	388	cmd.exe	diskpart.exe
PID 388 wrote to memory of 3920	388	cmd.exe	diskpart.exe
PID 2664 wrote to memory of 3164	2664	54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe	cmd.exe
PID 2664 wrote to memory of 3164	2664	54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe	cmd.exe
PID 3164 wrote to memory of 3200	3164	cmd.exe	diskpart.exe
PID 3164 wrote to memory of 3200	3164	cmd.exe	diskpart.exe

C:\Users\Admin\AppData\Local\Temp\54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe
"C:\Users\Admin\AppData\Local\Temp\54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c %systemroot%\system32\diskpart.exe /S drive_clean_0.scp
2⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\system32\diskpart.exe
C:\Windows\system32\diskpart.exe /S drive_clean_0.scp
3⤵
PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c %systemroot%\system32\diskpart.exe /S drive_rescan_0.scp
2⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\system32\diskpart.exe
C:\Windows\system32\diskpart.exe /S drive_rescan_0.scp
3⤵
PID:3200

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drive_clean_0.scp
Filesize
22B

MD5
ac9b31ab3ed20dbe98674c6da0142492

SHA1
52713a41696fca7362cfc28b883729136ead9dff

SHA256
5c7a7823458cb3aa4305b03c8353809ce13169dce9e895ee195795e5e3abca75

SHA512
0cbf5afa71f4797a391158d5d9afa7771cf45c66108f89c8a70442bef084091bb5b5e736879c27267c2723214d9ca4457d88b908ed2ad2645e816d0ccfd3ed2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\drive_rescan_0.scp
Filesize
8B

MD5
73e37297f08b2da29d5f4f2631b32044

SHA1
54f4310189a98538d79570237b4184a6524ee6da

SHA256
1ce233f67aef85aa4e5a11cf1c78114508d371931e09e6097df5924516051d20

SHA512
ca2afe275620bf4d5e7dab254360e00e791aec7601773d022dd5153ff4048f2ed8cdb017b072f4c561b307e088564650342abfd2f19dc04b2f07864d593350d8

Download Submit