d5510814cab366b4fa203dd5dd161c6c955faddbf71a9e8ea5ff4dffc4442bc3

Analysis

max time kernel
140s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/03/2024, 00:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7762c54fa046d865c72900516c16d92.exe
Size

92KB
MD5

d7762c54fa046d865c72900516c16d92
SHA1

0761ee8246cf9ff55b690e797428fb308baac3c0
SHA256

d5510814cab366b4fa203dd5dd161c6c955faddbf71a9e8ea5ff4dffc4442bc3
SHA512

4e7e109f361d7d2438b6b3eb1a9ce92b302a9d9bf7932088cb56ec07ab4e737e71e3dee2ffd328648e99899d38d53315a38068a0ea455ff043ef88885a119686
SSDEEP

1536:Gm7Ule6VdUevI/CQDn+PoQQQRnooooooooooooooooooooozDoooowoAciN46fze:j7IeK2CQDnYoQQQRui17qpvLf

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-2-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d7762c54fa046d865c72900516c16d92.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	d7762c54fa046d865c72900516c16d92.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28
PID 2028 wrote to memory of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28
PID 2028 wrote to memory of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28
PID 2028 wrote to memory of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28
PID 2028 wrote to memory of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28
PID 2028 wrote to memory of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28
PID 2028 wrote to memory of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28
PID 2028 wrote to memory of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28
PID 2028 wrote to memory of 2136	2028	d7762c54fa046d865c72900516c16d92.exe	28

C:\Users\Admin\AppData\Local\Temp\d7762c54fa046d865c72900516c16d92.exe
"C:\Users\Admin\AppData\Local\Temp\d7762c54fa046d865c72900516c16d92.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\d7762c54fa046d865c72900516c16d92.exe
  "C:\Users\Admin\AppData\Local\Temp\d7762c54fa046d865c72900516c16d92.exe"
  2⤵
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2136-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads