Overview

overview

7

Static

static

3

496519ad65...8c.exe

windows7-x64

496519ad65...8c.exe

windows10-2004-x64

Analysis

  • max time kernel
    40s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2024 15:48

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    496519ad6523cc81aa1efbf4b1734d8c.exe

  • Size

    112KB

  • MD5

    496519ad6523cc81aa1efbf4b1734d8c

  • SHA1

    d0884a6fbbfdfdb96ecd2351f9abfa3b6d723070

  • SHA256

    15ed32b98b1cf1ac0ab96d743fa07cd954d99d8f5c487ccd81b8724cf9bb039b

  • SHA512

    958540ae591f8a1db18c5f5baa96d7ccaed9fc15729c49b998b4a36dcc1fcc5ac571f73df5052e74e8ec6a38036d29ea1b3298e50b03e0850d51824465ce8f67

  • SSDEEP

    3072:qsUdRra4l0mFlo2pKV9kC44+IraVkpugc42BXR9IR:qsaRZI2pKRt1n

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\496519ad6523cc81aa1efbf4b1734d8c.exe
    "C:\Users\Admin\AppData\Local\Temp\496519ad6523cc81aa1efbf4b1734d8c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Users\Admin\AppData\Local\Temp\496519ad6523cc81aa1efbf4b1734d8c.exe
      "C:\Users\Admin\AppData\Local\Temp\496519ad6523cc81aa1efbf4b1734d8c.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\x2z8.exe
        C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\Users\Admin\AppData\Local\Temp\x2z8.exe
          "C:\Users\Admin\AppData\Local\Temp\x2z8.exe"
          4⤵
          • Deletes itself
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of AdjustPrivilegeToken
          PID:4008
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3996855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fpath.txt
    Filesize

    70B

    MD5

    702cef231a752c12709f0a5cac7c2c19

    SHA1

    d8ae33d3f88c2c363c4889d346bc362c8381a48c

    SHA256

    05a2c71393974af18e24d9b187b45aedf324c31936b7b00d6aa96d04b767d16b

    SHA512

    feba51a79258eb9b42586f66f6b9f0a3022ab78228f459d4bbef836858d91e3bb816d29c8b83ed7b590cd3db8b44e37fadf25eb576a1672907cc4806dd383521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\x2z8.exe
    Filesize

    112KB

    MD5

    496519ad6523cc81aa1efbf4b1734d8c

    SHA1

    d0884a6fbbfdfdb96ecd2351f9abfa3b6d723070

    SHA256

    15ed32b98b1cf1ac0ab96d743fa07cd954d99d8f5c487ccd81b8724cf9bb039b

    SHA512

    958540ae591f8a1db18c5f5baa96d7ccaed9fc15729c49b998b4a36dcc1fcc5ac571f73df5052e74e8ec6a38036d29ea1b3298e50b03e0850d51824465ce8f67

    Download Submit

  • memory/3552-0-0x000000002AA00000-0x000000002AA07000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3552-2-0x000000002AA00000-0x000000002AA07000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3552-3-0x000000002AA00000-0x000000002AA07000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4008-14-0x000000002AA00000-0x000000002AA07000-memory.dmp

    Filesize

    28KB

    Download