Malware Analysis Report

2025-08-06 04:09

Sample ID 240508-279vysfb99
Target 6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab
SHA256 6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab
Tags
bootkit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab

Threat Level: Known bad

The file 6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab was found to be: Known bad.

Malicious Activity Summary

bootkit persistence

Pitou

Writes to the Master Boot Record (MBR)

Unsigned PE

Program crash

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 23:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 23:14

Reported

2024-05-08 23:19

Platform

win7-20240221-en

Max time kernel

292s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab.exe"

Signatures

Pitou

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab.exe

"C:\Users\Admin\AppData\Local\Temp\6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab.exe"

Network

N/A

Files

memory/912-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/912-2-0x0000000000400000-0x000000000046F000-memory.dmp

memory/912-1-0x0000000001F40000-0x0000000001FC0000-memory.dmp

memory/912-3-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/912-4-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/912-6-0x0000000000220000-0x0000000000221000-memory.dmp

memory/912-7-0x0000000000400000-0x000000000046F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 23:14

Reported

2024-05-08 23:19

Platform

win10-20240404-en

Max time kernel

291s

Max time network

277s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab.exe"

Signatures

Pitou

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab.exe

"C:\Users\Admin\AppData\Local\Temp\6dcfc47fdf9ef83f72a935474b8272f10a9f4466804e96ca5db33fb070512bab.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 740

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp

Files

memory/4788-0-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/4788-1-0x00000000028C0000-0x0000000002940000-memory.dmp

memory/4788-2-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4788-3-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/4788-4-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/4788-5-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/4788-7-0x0000000000400000-0x000000000046F000-memory.dmp