ded13d884c27da54c773c157451f730eb566cf6bcbcc3ebcfcd02dac7b06ed66

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66b19dd29c42d1ef026d57c22ad99bcf.exe
Size

28KB
MD5

66b19dd29c42d1ef026d57c22ad99bcf
SHA1

b644ed9f8f278c3a68bbd16237fdac26c7124730
SHA256

ded13d884c27da54c773c157451f730eb566cf6bcbcc3ebcfcd02dac7b06ed66
SHA512

7b15b66d4389cb1ec44723d0411e5eec05b7923d9c00a8303386b508440c4b60f23f36035065e75b6cbaf85d24eb4eb1a19d97a583aa07955df223dbab16000f
SSDEEP

192:m4qxYdVbL0Jp/kbMqaneTQlk2WEtefntp9PyEtgP1oynjmprkfFoS:mJOzS+4enPhC1NmYFo

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	66b19dd29c42d1ef026d57c22ad99bcf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe
Token: SeIncBasePriorityPrivilege	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2420	66b19dd29c42d1ef026d57c22ad99bcf.exe
2420	66b19dd29c42d1ef026d57c22ad99bcf.exe
2420	66b19dd29c42d1ef026d57c22ad99bcf.exe
2420	66b19dd29c42d1ef026d57c22ad99bcf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2692	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe	28
PID 2420 wrote to memory of 2692	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe	28
PID 2420 wrote to memory of 2692	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe	28
PID 2420 wrote to memory of 2692	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe	28
PID 2420 wrote to memory of 2788	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe	30
PID 2420 wrote to memory of 2788	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe	30
PID 2420 wrote to memory of 2788	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe	30
PID 2420 wrote to memory of 2788	2420	66b19dd29c42d1ef026d57c22ad99bcf.exe	30

C:\Users\Admin\AppData\Local\Temp\66b19dd29c42d1ef026d57c22ad99bcf.exe
"C:\Users\Admin\AppData\Local\Temp\66b19dd29c42d1ef026d57c22ad99bcf.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\66B19D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\66B19D~1.EXE > nul
  2⤵
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads