19ef8f8adf541a2c074f6c91c37df31dc3661a15874ef87e63a14afdd18fbcdd

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 14:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4120432aa1aa920e3323e624e5d035cf.exe
Size

432KB
MD5

4120432aa1aa920e3323e624e5d035cf
SHA1

07cc86d8db6f310dfb21c364433bae9f946a767b
SHA256

19ef8f8adf541a2c074f6c91c37df31dc3661a15874ef87e63a14afdd18fbcdd
SHA512

99902297991127bee9802b3abbed34e1cf164519b2db77bf6b827b97f39e59b7fc795d8c0150c187da106879a63ff5278ff773ad54d9df25cfb95dea1c8a9a56
SSDEEP

6144:nBF91mWdWdoADYwUdZMPCn4jF9GZtMtGOkq84BVMfj:l1mjeWZcMPY4jFAZxhq84BVML

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	4120432aa1aa920e3323e624e5d035cf.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4120432aa1aa920e3323e624e5d035cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4120432aa1aa920e3323e624e5d035cf.exe:*:Enabled:@xpsp2res.dll,-22019"	4120432aa1aa920e3323e624e5d035cf.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4120432aa1aa920e3323e624e5d035cf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 9644	3020	4120432aa1aa920e3323e624e5d035cf.exe	28
PID 9644 set thread context of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
3020	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeAuditPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeBackupPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeChangeNotifyPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeCreatePagefilePrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeCreatePermanentPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeCreatePermanentPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeCreateTokenPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeIncBasePriorityPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeIncreaseQuotaPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeLoadDriverPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeLockMemoryPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeMachineAccountPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeProfSingleProcessPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeRemoteShutdownPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeRestorePrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeSecurityPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeShutdownPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeSystemEnvironmentPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeSystemProfilePrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeSystemtimePrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeTakeOwnershipPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeTcbPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe
Token: SeDebugPrivilege	9644	4120432aa1aa920e3323e624e5d035cf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3020	4120432aa1aa920e3323e624e5d035cf.exe
9644	4120432aa1aa920e3323e624e5d035cf.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 9644	3020	4120432aa1aa920e3323e624e5d035cf.exe	28
PID 3020 wrote to memory of 9644	3020	4120432aa1aa920e3323e624e5d035cf.exe	28
PID 3020 wrote to memory of 9644	3020	4120432aa1aa920e3323e624e5d035cf.exe	28
PID 3020 wrote to memory of 9644	3020	4120432aa1aa920e3323e624e5d035cf.exe	28
PID 3020 wrote to memory of 9644	3020	4120432aa1aa920e3323e624e5d035cf.exe	28
PID 3020 wrote to memory of 9644	3020	4120432aa1aa920e3323e624e5d035cf.exe	28
PID 3020 wrote to memory of 9644	3020	4120432aa1aa920e3323e624e5d035cf.exe	28
PID 3020 wrote to memory of 9644	3020	4120432aa1aa920e3323e624e5d035cf.exe	28
PID 9644 wrote to memory of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29
PID 9644 wrote to memory of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29
PID 9644 wrote to memory of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29
PID 9644 wrote to memory of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29
PID 9644 wrote to memory of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29
PID 9644 wrote to memory of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29
PID 9644 wrote to memory of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29
PID 9644 wrote to memory of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29
PID 9644 wrote to memory of 2580	9644	4120432aa1aa920e3323e624e5d035cf.exe	29

C:\Users\Admin\AppData\Local\Temp\4120432aa1aa920e3323e624e5d035cf.exe
"C:\Users\Admin\AppData\Local\Temp\4120432aa1aa920e3323e624e5d035cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\4120432aa1aa920e3323e624e5d035cf.exe
  C:\Users\Admin\AppData\Local\Temp\4120432aa1aa920e3323e624e5d035cf.exe
  2⤵
  - Modifies firewall policy service
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:9644
- - C:\Users\Admin\AppData\Local\Temp\4120432aa1aa920e3323e624e5d035cf.exe
    C:\Users\Admin\AppData\Local\Temp\4120432aa1aa920e3323e624e5d035cf.exe -f
    3⤵
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2580-4357-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2580-4365-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-4363-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2580-4369-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2580-4370-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2580-4359-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2580-4361-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2580-4367-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/9644-4279-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/9644-4290-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/9644-3969-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-3970-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-3975-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-3974-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/9644-3972-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-4206-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/9644-4284-0x0000000000240000-0x000000000024B000-memory.dmp

Filesize
44KB

Download
memory/9644-4216-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/9644-4217-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/9644-4220-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/9644-4223-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/9644-4221-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/9644-4224-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/9644-4230-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/9644-4231-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/9644-4235-0x00000000027A0000-0x0000000002869000-memory.dmp

Filesize
804KB

Download
memory/9644-4233-0x00000000027A0000-0x0000000002869000-memory.dmp

Filesize
804KB

Download
memory/9644-4242-0x0000000000240000-0x000000000025E000-memory.dmp

Filesize
120KB

Download
memory/9644-4243-0x0000000000240000-0x000000000025E000-memory.dmp

Filesize
120KB

Download
memory/9644-4246-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/9644-4248-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/9644-4254-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download
memory/9644-4256-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download
memory/9644-4291-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/9644-4259-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-4262-0x0000000000240000-0x0000000000264000-memory.dmp

Filesize
144KB

Download
memory/9644-4268-0x0000000000350000-0x00000000003F6000-memory.dmp

Filesize
664KB

Download
memory/9644-4267-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/9644-4276-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/9644-4278-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/9644-3965-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-4281-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/9644-4207-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/9644-3968-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-4258-0x0000000000240000-0x0000000000264000-memory.dmp

Filesize
144KB

Download
memory/9644-4287-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/9644-4299-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download
memory/9644-4301-0x00000000027A0000-0x0000000002869000-memory.dmp

Filesize
804KB

Download
memory/9644-4303-0x0000000000350000-0x00000000003BB000-memory.dmp

Filesize
428KB

Download
memory/9644-4305-0x0000000000350000-0x00000000003BB000-memory.dmp

Filesize
428KB

Download
memory/9644-4307-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/9644-4309-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/9644-4311-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/9644-4313-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/9644-4314-0x0000000000240000-0x000000000025E000-memory.dmp

Filesize
120KB

Download
memory/9644-4320-0x0000000000240000-0x000000000025E000-memory.dmp

Filesize
120KB

Download
memory/9644-4322-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/9644-4323-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/9644-4325-0x0000000000240000-0x0000000000259000-memory.dmp

Filesize
100KB

Download
memory/9644-4289-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/9644-4330-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/9644-4332-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/9644-4333-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/9644-4328-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/9644-4342-0x0000000000240000-0x0000000000264000-memory.dmp

Filesize
144KB

Download
memory/9644-4343-0x0000000000240000-0x0000000000264000-memory.dmp

Filesize
144KB

Download
memory/9644-4345-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/9644-3957-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-3953-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-3949-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-4348-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/9644-4351-0x0000000000350000-0x00000000003C1000-memory.dmp

Filesize
452KB

Download
memory/9644-4350-0x0000000000350000-0x00000000003C1000-memory.dmp

Filesize
452KB

Download
memory/9644-4340-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download
memory/9644-4288-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/9644-4286-0x0000000000240000-0x000000000024B000-memory.dmp

Filesize
44KB

Download
memory/9644-4266-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/9644-4265-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/9644-4373-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9644-4264-0x0000000000350000-0x00000000003F6000-memory.dmp

Filesize
664KB

Download