40a6dfb2da3f160374c4c287d2b2e7657d151f5d9c1d73fd0f6682264a3b0872

Analysis

max time kernel
17s
max time network
199s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
27/03/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cvnwzmammv.exe
Size

316KB
MD5

f5e0962b8f5ba52bbec6f2b7f63a2bc1
SHA1

ef2437a8277565dc36ab2222d893849964eb863c
SHA256

5a520735eb6373fbb0a5e76d72b33dbb9514d7cfa3b7fb465a12bd9221ec27f3
SHA512

2c86bf5145efa719c54c33710db57a7ae1b8b4a51d3161f5ff09f6e62199ee6ac07e64f5ade3d9de576979ce588fa55984f0ce1a97d0a502a4fbf960ddf30450
SSDEEP

3072:GGmjllRDGTCzXCLA52mvVZKjzepmECnvwsC6m7Yl22wruUiLrf923F8GDsrXkd+Q:EjlnC6yQmzeAPv23

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cvnwzmammv.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4700	reg.exe
4776	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	292	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	292	AUDIODG.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 3468	3308	cvnwzmammv.exe	75
PID 3308 wrote to memory of 3468	3308	cvnwzmammv.exe	75
PID 3308 wrote to memory of 3468	3308	cvnwzmammv.exe	75
PID 3468 wrote to memory of 4700	3468	cmd.exe	77
PID 3468 wrote to memory of 4700	3468	cmd.exe	77
PID 3468 wrote to memory of 4700	3468	cmd.exe	77
PID 3308 wrote to memory of 2088	3308	cvnwzmammv.exe	78
PID 3308 wrote to memory of 2088	3308	cvnwzmammv.exe	78
PID 3308 wrote to memory of 2088	3308	cvnwzmammv.exe	78
PID 2088 wrote to memory of 4916	2088	cmd.exe	80
PID 2088 wrote to memory of 4916	2088	cmd.exe	80
PID 2088 wrote to memory of 4916	2088	cmd.exe	80
PID 3308 wrote to memory of 4604	3308	cvnwzmammv.exe	81
PID 3308 wrote to memory of 4604	3308	cvnwzmammv.exe	81
PID 3308 wrote to memory of 4604	3308	cvnwzmammv.exe	81
PID 4604 wrote to memory of 4776	4604	cmd.exe	83
PID 4604 wrote to memory of 4776	4604	cmd.exe	83
PID 4604 wrote to memory of 4776	4604	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\cvnwzmammv.exe
"C:\Users\Admin\AppData\Local\Temp\cvnwzmammv.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start calc.exe
  2⤵
  PID:3992
- - C:\Windows\SysWOW64\calc.exe
    calc.exe
    3⤵
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start notepad.exe
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start dxdiag.exe
  2⤵
  PID:740
- - C:\Windows\SysWOW64\dxdiag.exe
    dxdiag.exe
    3⤵
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start write.exe
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    PID:4208
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:3056
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:4352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start charmap.exe
  2⤵
  PID:3384
- - C:\Windows\SysWOW64\charmap.exe
    charmap.exe
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start taskmgr.exe
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\Taskmgr.exe
    taskmgr.exe
    3⤵
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start winver.exe
  2⤵
  PID:4468
- - C:\Windows\SysWOW64\winver.exe
    winver.exe
    3⤵
    PID:3124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown -r -t 65
  2⤵
  PID:976
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 65
    3⤵
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start mspaint.exe
  2⤵
  PID:684
- - C:\Windows\SysWOW64\mspaint.exe
    mspaint.exe
    3⤵
    PID:68
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start devmgmt.msc
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\devmgmt.msc"
    3⤵
    PID:3588
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\devmgmt.msc" "C:\Windows\system32\devmgmt.msc"
      4⤵
      PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start control.exe
  2⤵
  PID:524
- - C:\Windows\SysWOW64\control.exe
    control.exe
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start mmc.exe
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\mmc.exe
    mmc.exe
    3⤵
    PID:164
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      PID:4196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start calc.exe
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\calc.exe
    calc.exe
    3⤵
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start notepad.exe
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:4976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start dxdiag.exe
  2⤵
  PID:2720

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3644

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2888

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads