bcf1ebe82faf5b2eb18fa2d2c746111e95f44e4c92ed3287dbc9dfb1313bbef2

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 04:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c26ecdfd3ee5aef6c7e4af37de91c896.exe
Size

264KB
MD5

c26ecdfd3ee5aef6c7e4af37de91c896
SHA1

9f5d275ea4681ad091cd5355965f4ef619ad92e7
SHA256

bcf1ebe82faf5b2eb18fa2d2c746111e95f44e4c92ed3287dbc9dfb1313bbef2
SHA512

5517129ff1ae981cdcb283a4f2bc680cc68f75228a3b1950ae927a44b43a70d4cec6466a9b4e80600bec8657c55578bf000bef41d685070677b15fb5f482c25b
SSDEEP

3072:59c0GV/ACeZbfDaLH5pl/6G8eK52/IE5mukQfel2DpdNoYNhk8tyCrXt:tGVYvpDab5pl/58elD5mukQbHNo8rXt

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3140	uninstall.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	uninstall.exe
File opened for modification	\??\PhysicalDrive0	c26ecdfd3ee5aef6c7e4af37de91c896.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3140	uninstall.exe
3140	uninstall.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3472	c26ecdfd3ee5aef6c7e4af37de91c896.exe
3140	uninstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 3140	3472	c26ecdfd3ee5aef6c7e4af37de91c896.exe	91
PID 3472 wrote to memory of 3140	3472	c26ecdfd3ee5aef6c7e4af37de91c896.exe	91
PID 3472 wrote to memory of 3140	3472	c26ecdfd3ee5aef6c7e4af37de91c896.exe	91

C:\Users\Admin\AppData\Local\Temp\c26ecdfd3ee5aef6c7e4af37de91c896.exe
"C:\Users\Admin\AppData\Local\Temp\c26ecdfd3ee5aef6c7e4af37de91c896.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\uninstall.exe
  C:\Users\Admin\AppData\Local\Temp\uninstall.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

Filesize
264KB

MD5
c26ecdfd3ee5aef6c7e4af37de91c896

SHA1
9f5d275ea4681ad091cd5355965f4ef619ad92e7

SHA256
bcf1ebe82faf5b2eb18fa2d2c746111e95f44e4c92ed3287dbc9dfb1313bbef2

SHA512
5517129ff1ae981cdcb283a4f2bc680cc68f75228a3b1950ae927a44b43a70d4cec6466a9b4e80600bec8657c55578bf000bef41d685070677b15fb5f482c25b

Download Submit