6b8d0aaafe494d29a4d648815c45235788a1e62551d8bdc9a1369e2a54281a2e

Analysis

max time kernel
142s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 21:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d559006cd8712952f7bb89981c6237b.exe
Size

112KB
MD5

8d559006cd8712952f7bb89981c6237b
SHA1

ec9598eb66ef19b9ecccafaf58f7f26630e299e5
SHA256

6b8d0aaafe494d29a4d648815c45235788a1e62551d8bdc9a1369e2a54281a2e
SHA512

7138bccfb9bcda1afc57b51e4e97ba20fa5f3dd78667ffbeb82b1a55325020f86d981ed72d1d450aaf3b30e31f95439ac5e5ee9f18be786de9090ec31329b6b2
SSDEEP

3072:h+nn4DRbbrMbvT0q8O1cZPzQ7IXMBc+AMP+QfQEhxFyVU7h8lei:u4D5wvP6bQ7yMP+DE827h5i

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	8d559006cd8712952f7bb89981c6237b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	2332	WerFault.exe	18

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	8d559006cd8712952f7bb89981c6237b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	8d559006cd8712952f7bb89981c6237b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	8d559006cd8712952f7bb89981c6237b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2332	8d559006cd8712952f7bb89981c6237b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12
PID 2332 wrote to memory of 1256	2332	8d559006cd8712952f7bb89981c6237b.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\8d559006cd8712952f7bb89981c6237b.exe
  "C:\Users\Admin\AppData\Local\Temp\8d559006cd8712952f7bb89981c6237b.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 284
    3⤵
    - Program crash
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2332-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2332-1-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2332-3-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/2332-4-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/2332-5-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2332-6-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2332-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2332-2-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2332-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2332-9-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2332-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2332-11-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/2332-12-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2332-13-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/2332-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download