4d6c7f825be71c8b66ab8b1bfe2d2eb7a8d191444d00258733dd0c82ed51798c

Analysis

max time kernel
159s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_bb45b95082f99f8fa282f7479ef38a64.exe
Size

98KB
MD5

bb45b95082f99f8fa282f7479ef38a64
SHA1

d3408bbb082356c44e667ca53209baaaca24b094
SHA256

4d6c7f825be71c8b66ab8b1bfe2d2eb7a8d191444d00258733dd0c82ed51798c
SHA512

574824f7e825e0c030728576f5986e3ce17abd8b2b6a6b1781f760af289800fa4f19a9a67453275f1aade107b4348e90761fd102426731f4e8f65b3d8327b02a
SSDEEP

3072:Uhhf9D5ZtzrMnzXdt+XjDMAv1psS4Rr6pvpvpvpvpvpvP:ilFLzrMztt+11GRWpvpvpvpvpvpvP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4500	bootini.exe
2208	bootini.exe
3880	bootini.exe
4808	bootini.exe
4820	bootini.exe
3444	bootini.exe
2596	bootini.exe
4476	bootini.exe
4388	bootini.exe
4112	bootini.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	VirusShare_bb45b95082f99f8fa282f7479ef38a64.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	VirusShare_bb45b95082f99f8fa282f7479ef38a64.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File created	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe
File opened for modification	C:\Windows\SysWOW64\bootini.exe	bootini.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4500	3500	VirusShare_bb45b95082f99f8fa282f7479ef38a64.exe	84
PID 3500 wrote to memory of 4500	3500	VirusShare_bb45b95082f99f8fa282f7479ef38a64.exe	84
PID 3500 wrote to memory of 4500	3500	VirusShare_bb45b95082f99f8fa282f7479ef38a64.exe	84
PID 4500 wrote to memory of 2208	4500	bootini.exe	93
PID 4500 wrote to memory of 2208	4500	bootini.exe	93
PID 4500 wrote to memory of 2208	4500	bootini.exe	93
PID 2208 wrote to memory of 3880	2208	bootini.exe	94
PID 2208 wrote to memory of 3880	2208	bootini.exe	94
PID 2208 wrote to memory of 3880	2208	bootini.exe	94
PID 3880 wrote to memory of 4808	3880	bootini.exe	95
PID 3880 wrote to memory of 4808	3880	bootini.exe	95
PID 3880 wrote to memory of 4808	3880	bootini.exe	95
PID 4808 wrote to memory of 4820	4808	bootini.exe	96
PID 4808 wrote to memory of 4820	4808	bootini.exe	96
PID 4808 wrote to memory of 4820	4808	bootini.exe	96
PID 4820 wrote to memory of 3444	4820	bootini.exe	97
PID 4820 wrote to memory of 3444	4820	bootini.exe	97
PID 4820 wrote to memory of 3444	4820	bootini.exe	97
PID 3444 wrote to memory of 2596	3444	bootini.exe	98
PID 3444 wrote to memory of 2596	3444	bootini.exe	98
PID 3444 wrote to memory of 2596	3444	bootini.exe	98
PID 2596 wrote to memory of 4476	2596	bootini.exe	99
PID 2596 wrote to memory of 4476	2596	bootini.exe	99
PID 2596 wrote to memory of 4476	2596	bootini.exe	99
PID 4476 wrote to memory of 4388	4476	bootini.exe	100
PID 4476 wrote to memory of 4388	4476	bootini.exe	100
PID 4476 wrote to memory of 4388	4476	bootini.exe	100
PID 4388 wrote to memory of 4112	4388	bootini.exe	101
PID 4388 wrote to memory of 4112	4388	bootini.exe	101
PID 4388 wrote to memory of 4112	4388	bootini.exe	101

C:\Users\Admin\AppData\Local\Temp\VirusShare_bb45b95082f99f8fa282f7479ef38a64.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_bb45b95082f99f8fa282f7479ef38a64.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\bootini.exe
  C:\Windows\system32\bootini.exe 1152 "C:\Users\Admin\AppData\Local\Temp\VirusShare_bb45b95082f99f8fa282f7479ef38a64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\bootini.exe
    C:\Windows\system32\bootini.exe 1148 "C:\Windows\SysWOW64\bootini.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\bootini.exe
      C:\Windows\system32\bootini.exe 1124 "C:\Windows\SysWOW64\bootini.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Windows\SysWOW64\bootini.exe
        
        C:\Windows\system32\bootini.exe 1120 "C:\Windows\SysWOW64\bootini.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\bootini.exe
        
        C:\Windows\system32\bootini.exe 1132 "C:\Windows\SysWOW64\bootini.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\bootini.exe
        
        C:\Windows\system32\bootini.exe 1136 "C:\Windows\SysWOW64\bootini.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\bootini.exe
        
        C:\Windows\system32\bootini.exe 1128 "C:\Windows\SysWOW64\bootini.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\bootini.exe
        
        C:\Windows\system32\bootini.exe 1140 "C:\Windows\SysWOW64\bootini.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\bootini.exe
        
        C:\Windows\system32\bootini.exe 1144 "C:\Windows\SysWOW64\bootini.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\bootini.exe
        
        C:\Windows\system32\bootini.exe 1156 "C:\Windows\SysWOW64\bootini.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bootini.exe

Filesize
98KB

MD5
bb45b95082f99f8fa282f7479ef38a64

SHA1
d3408bbb082356c44e667ca53209baaaca24b094

SHA256
4d6c7f825be71c8b66ab8b1bfe2d2eb7a8d191444d00258733dd0c82ed51798c

SHA512
574824f7e825e0c030728576f5986e3ce17abd8b2b6a6b1781f760af289800fa4f19a9a67453275f1aade107b4348e90761fd102426731f4e8f65b3d8327b02a

Download Submit
memory/2208-14-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2208-17-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2208-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2596-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3444-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3500-0-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3500-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3500-2-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/3500-1-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3880-20-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4388-41-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4388-37-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/4476-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4500-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4500-10-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/4500-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4808-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4820-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4820-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads