47efdc82061315f7990ce4bf515439ca0456476efe9ddaf464b68e630bfecf9e

Analysis

max time kernel
0s
max time network
0s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2.exe
Size

81KB
MD5

68d21e42ba35dc6324c75da71233ea14
SHA1

f5c5c50336d9239e1765bd1f8ca50d9c3c27612f
SHA256

bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2
SHA512

e76a537f59ad2230f646e050e2217667019f6656243ece09fdf0f834a84b5b02f643ad25fc3b92a17409de6928d308ed70cbb521c4b0037c6e60b7ec04687b0b
SSDEEP

1536:qn/9ecG8JnbijvBWya/1wpdN2YWL2MRxisBELCjTV1ExZ47pVUdsRGhSF:q/MPCbMvI9idspL2grTye7rUM

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1508-0-0x000000013F790000-0x000000013F7C0000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2.exe

description	pid	process
Token: SeDebugPrivilege	1508	bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2.exe
Token: SeShutdownPrivilege	1508	bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2.exe

C:\Users\Admin\AppData\Local\Temp\bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2.exe
"C:\Users\Admin\AppData\Local\Temp\bd42105b082987624faae1216dcb8c20e48c25566f0cc808cdd22cbdd273f2f2.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1508

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-0-0x000000013F790000-0x000000013F7C0000-memory.dmp

Filesize
192KB

Download