b59d4d38c6c98590709bcb7e4299a4e10306b29d46a56c5e8a6bb274bd4bef31

Analysis

max time kernel
6s
max time network
8s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 22:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Windows/Ransomware/Monster Ransomware (second new version)/tunamor.exe
Size

71KB
MD5

e9fdc21bd273444925a4512166188e5b
SHA1

e398138686eedcd8ef9de5342025f7118e120cdf
SHA256

78972cdde1a038f249b481ea2c4b172cc258aa294440333e9c46dcb3fbed5815
SHA512

64989534f56fcd70f3ff08bb47a331d5624fc1e3b387420a885d6f32a537e05182de8c5890612cde03fdd312ad101955674d7455c84b900bf7eed97b402a2b08
SSDEEP

768:Uv3mq1oJQpwvZlXhVkcDsaoi9P9TJKvaoStYARRQwfwiIySf4BtIl82+hE8x:YmqMQoXhVN4aooJhDCSeyxel82WNx

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	tunamor.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2940	shutdown.exe
Token: SeRemoteShutdownPrivilege	2940	shutdown.exe
Token: SeShutdownPrivilege	2368	shutdown.exe
Token: SeRemoteShutdownPrivilege	2368	shutdown.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2940	2880	tunamor.exe	28
PID 2880 wrote to memory of 2940	2880	tunamor.exe	28
PID 2880 wrote to memory of 2940	2880	tunamor.exe	28
PID 2880 wrote to memory of 2940	2880	tunamor.exe	28
PID 2880 wrote to memory of 2368	2880	tunamor.exe	29
PID 2880 wrote to memory of 2368	2880	tunamor.exe	29
PID 2880 wrote to memory of 2368	2880	tunamor.exe	29
PID 2880 wrote to memory of 2368	2880	tunamor.exe	29

C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware (second new version)\tunamor.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Ransomware\Monster Ransomware (second new version)\tunamor.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\shutdown.exe
  shutdown.exe -r -f -t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\SysWOW64\shutdown.exe
  C:\Windows\System32\shutdown.exe -r -f -t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2368

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2668

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2380-2-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2668-1-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2880-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads