f1753b01e55256a70bd758defc745f120554638937d4ae97f5e66b3f983ed67a

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4550117711a5b26fbbd0eb6ec166ca1.exe
Size

389KB
MD5

a4550117711a5b26fbbd0eb6ec166ca1
SHA1

fe9946416bacf727e1713c820890ce46b1906ebc
SHA256

f1753b01e55256a70bd758defc745f120554638937d4ae97f5e66b3f983ed67a
SHA512

61527a64d6c2162f207e871989ba50816d5b376d5b15f8c72c127a8946b12c6c6fd4aca1a60e8e4a2131fcc4c6ce3b2195b5f145c8b3d49c879c35b519b61484
SSDEEP

6144:coeHsUJqDKOw/Xqy2up1zwwvP6bQ7yMP+DE827nnEMcbwvP6bQ7yMP+DE827T:csfDuqyR6b7MP+Dd2DEMd6b7MP+Dd2X

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	a4550117711a5b26fbbd0eb6ec166ca1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a4550117711a5b26fbbd0eb6ec166ca1.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	a4550117711a5b26fbbd0eb6ec166ca1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	a4550117711a5b26fbbd0eb6ec166ca1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	a4550117711a5b26fbbd0eb6ec166ca1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1404	a4550117711a5b26fbbd0eb6ec166ca1.exe

C:\Users\Admin\AppData\Local\Temp\a4550117711a5b26fbbd0eb6ec166ca1.exe
"C:\Users\Admin\AppData\Local\Temp\a4550117711a5b26fbbd0eb6ec166ca1.exe"
1⤵
- Drops file in Drivers directory
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-1-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/1404-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1404-2-0x0000000000270000-0x0000000000274000-memory.dmp

Filesize
16KB

Download
memory/1404-6-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1404-5-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1404-8-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1404-7-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download