Malware Analysis Report

2025-08-05 12:51

Sample ID 240509-b5tsvaeb55
Target 864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe
SHA256 864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708
Tags
bootkit persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708

Threat Level: Likely malicious

The file 864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Writes to the Master Boot Record (MBR)

Unsigned PE

Program crash

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 01:44

Reported

2024-05-09 01:46

Platform

win7-20240221-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe"

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe

"C:\Users\Admin\AppData\Local\Temp\864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe"

Network

N/A

Files

memory/1624-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1624-1-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/1624-2-0x0000000002C60000-0x0000000002CE0000-memory.dmp

memory/1624-3-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1624-4-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/1624-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1624-5-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/1624-8-0x0000000000400000-0x000000000046F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 01:44

Reported

2024-05-09 01:46

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe"

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe

"C:\Users\Admin\AppData\Local\Temp\864058982beb96e66a925b7eb77b7add2ced0e27d95391ec80c3fba56f95f708.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 728

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3632-0-0x0000000002150000-0x0000000002151000-memory.dmp

memory/3632-1-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/3632-2-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3632-3-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/3632-4-0x0000000000400000-0x00000000004EE000-memory.dmp

memory/3632-7-0x0000000000400000-0x000000000046F000-memory.dmp