Overview

overview

6

Static

static

3

4c0a7ca04a...0d.exe

windows7-x64

6

4c0a7ca04a...0d.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    08-01-2024 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c0a7ca04aac0a5abb6a0ae0d59d7a0d.exe

  • Size

    250KB

  • MD5

    4c0a7ca04aac0a5abb6a0ae0d59d7a0d

  • SHA1

    1bb69e84abfd74269e9785f5b679c30467532a14

  • SHA256

    72d779a0485360b5a636bc014d5ccf88ff4745453382ac675b968d5301f9b418

  • SHA512

    aa5cc1743d5443609c8b749d45066ca06193164d87bd4672eee720d097d99716d9acff4854f413dfe32c6fe7a681da25d131c546f9186592f7b327e45ded835e

  • SSDEEP

    6144:j7y+Qfb56BBMl5yyw5CpA/7sJ5pwvP6bQ7yMP+DE827KJF:/yf6aw5krJ5i6b7MP+Dd2A

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c0a7ca04aac0a5abb6a0ae0d59d7a0d.exe
    "C:\Users\Admin\AppData\Local\Temp\4c0a7ca04aac0a5abb6a0ae0d59d7a0d.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe "c:\FINAL_TBF2.pdf"
      2⤵
        PID:2788
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\FINAL_TBF2.pdf"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2848

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
      Filesize

      3KB

      MD5

      490106480af6d2961fa98654dec9d6c5

      SHA1

      3da91a7d02a8404cee66fbd941784912fbab177b

      SHA256

      9ca2f80aa258410ecee593951b18f38d155efd4b4731bf989f64fb97461838eb

      SHA512

      ae053d0476b1a89d4fd70d1272e7a77980a8645530c874e48d8163e3bdb95365ad8a170bc4d00983a45c17c956f086e7f39fff0d67f79c97697708395f4e4138

      Download Submit

    • memory/2656-0-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/2656-1-0x0000000000230000-0x00000000002A9000-memory.dmp

      Filesize

      484KB

      Download

    • memory/2656-2-0x00000000002C0000-0x00000000002F0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2656-3-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/2656-4-0x00000000002F0000-0x00000000002F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2656-5-0x00000000002B0000-0x00000000002B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2656-7-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

      Download

    • memory/2656-8-0x0000000000230000-0x000000000023D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2656-9-0x00000000002C0000-0x00000000002F0000-memory.dmp

      Filesize

      192KB

      Download