b3d0970b8baaf49acf7e2259da2953256442bf4daf480224b7931ca01c8e61b7

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0d6713d981797a28f2b387d69d4995a.exe
Size

154KB
MD5

c0d6713d981797a28f2b387d69d4995a
SHA1

34c88c0082d912ede9810095f782c6515295bc4b
SHA256

b3d0970b8baaf49acf7e2259da2953256442bf4daf480224b7931ca01c8e61b7
SHA512

d9f16dde84899671d50cb1ee4b0c1fa76106435722506085c296d718303ddb14282a520dfcea5f74f7312fc9cf72f62be62ded0b0ffa170597e4d5cc1fb65e7e
SSDEEP

3072:FZMJnTeM4cJJYeqgKJ+BCYiDnTO4H2NxDYvGw7/zzzAmnB/4D3hmn64G:zeTeM/ggKEiDTvqRYuMzzaFmS

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2828	lcDGsZ.exe

Executes dropped EXE 2 IoCs

pid	Process
924	ctsL.exe
2828	lcDGsZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	lcDGsZ.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\wm.exe	c0d6713d981797a28f2b387d69d4995a.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wm.exe	c0d6713d981797a28f2b387d69d4995a.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmstart._	c0d6713d981797a28f2b387d69d4995a.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ctsL.exe	c0d6713d981797a28f2b387d69d4995a.exe
File created	C:\Program Files (x86)\Windows Media Player\ctsL.exe	c0d6713d981797a28f2b387d69d4995a.exe
File created	C:\Program Files (x86)\Intel\lcDGsZ.exe	c0d6713d981797a28f2b387d69d4995a.exe
File created	C:\Program Files (x86)\Windows Media Player\start0	c0d6713d981797a28f2b387d69d4995a.exe
File created	C:\Program Files (x86)\Windows Media Player\wmstart._	c0d6713d981797a28f2b387d69d4995a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002320e-7.dat	nsis_installer_2

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2828	lcDGsZ.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 924	1328	c0d6713d981797a28f2b387d69d4995a.exe	90
PID 1328 wrote to memory of 924	1328	c0d6713d981797a28f2b387d69d4995a.exe	90
PID 1328 wrote to memory of 924	1328	c0d6713d981797a28f2b387d69d4995a.exe	90
PID 1328 wrote to memory of 2828	1328	c0d6713d981797a28f2b387d69d4995a.exe	91
PID 1328 wrote to memory of 2828	1328	c0d6713d981797a28f2b387d69d4995a.exe	91
PID 1328 wrote to memory of 2828	1328	c0d6713d981797a28f2b387d69d4995a.exe	91

C:\Users\Admin\AppData\Local\Temp\c0d6713d981797a28f2b387d69d4995a.exe
"C:\Users\Admin\AppData\Local\Temp\c0d6713d981797a28f2b387d69d4995a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Program Files (x86)\Windows Media Player\ctsL.exe
  "C:\Program Files (x86)\Windows Media Player\ctsL.exe"
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Program Files (x86)\Intel\lcDGsZ.exe
  "C:\Program Files (x86)\Intel\lcDGsZ.exe" C:\Users\Admin\AppData\Local\Temp\c0d6713d981797a28f2b387d69d4995a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Intel\lcDGsZ.exe

Filesize
24KB

MD5
a8b9545785281eb41368537f419b8d79

SHA1
1bbc5451890075b555401e15bfbc6f79c8f06bb5

SHA256
ca13ce14001962072880029a693080e83c2d12d325e8a9546bb54d249beac9c4

SHA512
8d9572fa666442748e2a018f7b32c491a1a00d06ad06c7c41c59e84de7300078e51b8cf81ae8c17905f5a9edd9605b8c15f4a6ea0f41e10d8eaa53b9427c980f

Download Submit
C:\Program Files (x86)\Windows Media Player\ctsL.exe

Filesize
36KB

MD5
06cb3ca80b68e7df848591066edeb92c

SHA1
ed8026cd5fdcf2d7c72ba71c7b1ff1023d00ed75

SHA256
1a597b12bd5fdbe636e79918a9e938f16605dc4ac9d8f25da397d8dbe456ecf6

SHA512
91506c876a3d98fe0e58ca6a0a4cd6744d2891cd1fab8030e408680c68957da0d6e26528ace18629dff343993ecb14a77365fa17b3ecb1f4859cc74de895443b

Download Submit
C:\Program Files (x86)\Windows Media Player\wmstart._

Filesize
99KB

MD5
10a19d5015467cd21dfce7f278a2904f

SHA1
065787bf07db5118e8079cadae09aba8f0beeeb4

SHA256
9854a39f9cdab1fce790fbe7d43099780235ff18dca85630d2154360c25fdd07

SHA512
e4399a48c98b05740443a8c7e2ecaed0ee1ba22eb23accb3bb9d1ba17af8fed41fd50195cf01cd2da51e3c71ae0377b8e5876f02d18fdd9d6bee4f55a0cc2cd7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads