be3757324a4ccff20d54eedc416729e59187b1ffeacf88da32bf59474f9621a0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cae501a10cbcedbbbf6f213b3b6b8f34.exe
Size

189KB
MD5

cae501a10cbcedbbbf6f213b3b6b8f34
SHA1

6308d47e30f3ee02630c0004112deb756c25b10f
SHA256

be3757324a4ccff20d54eedc416729e59187b1ffeacf88da32bf59474f9621a0
SHA512

a9e02fa91e69a045e726d88913b07b6b7f8420ee0aa858d61435a922fbddaeb1fb94a5a35eda31f5ca2751920e69793d70360f7423647997227cebe55b4dd563
SSDEEP

3072:srDqXHY74Ef7BJuS2acIetvt3/qvjJPm/FzopSkfyfemUlZQC+GnR:wz4YBJuxx/ijJPm/FvkfycQC+i

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1792	__uia__.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	cae501a10cbcedbbbf6f213b3b6b8f34.exe
2136	cae501a10cbcedbbbf6f213b3b6b8f34.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cae501a10cbcedbbbf6f213b3b6b8f34.exe
File opened for modification	\??\PhysicalDrive0	__uia__.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1792	__uia__.exe
1792	__uia__.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1792	__uia__.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1792	2136	cae501a10cbcedbbbf6f213b3b6b8f34.exe	28
PID 2136 wrote to memory of 1792	2136	cae501a10cbcedbbbf6f213b3b6b8f34.exe	28
PID 2136 wrote to memory of 1792	2136	cae501a10cbcedbbbf6f213b3b6b8f34.exe	28
PID 2136 wrote to memory of 1792	2136	cae501a10cbcedbbbf6f213b3b6b8f34.exe	28
PID 1792 wrote to memory of 2856	1792	__uia__.exe	29
PID 1792 wrote to memory of 2856	1792	__uia__.exe	29
PID 1792 wrote to memory of 2856	1792	__uia__.exe	29
PID 1792 wrote to memory of 2856	1792	__uia__.exe	29

C:\Users\Admin\AppData\Local\Temp\cae501a10cbcedbbbf6f213b3b6b8f34.exe
"C:\Users\Admin\AppData\Local\Temp\cae501a10cbcedbbbf6f213b3b6b8f34.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\__uia__.exe
  C:\Users\Admin\AppData\Local\Temp\\__uia__.exe 396
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\__uia__.exe > nul
    3⤵
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\__uia__.exe

Filesize
189KB

MD5
cae501a10cbcedbbbf6f213b3b6b8f34

SHA1
6308d47e30f3ee02630c0004112deb756c25b10f

SHA256
be3757324a4ccff20d54eedc416729e59187b1ffeacf88da32bf59474f9621a0

SHA512
a9e02fa91e69a045e726d88913b07b6b7f8420ee0aa858d61435a922fbddaeb1fb94a5a35eda31f5ca2751920e69793d70360f7423647997227cebe55b4dd563

Download Submit