9bcb6f54e1779d34b2e3d4fdd4454037f346448481b44f847c6fb936152ff2ed

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bcb6f54e1779d34b2e3d4fdd4454037f346448481b44f847c6fb936152ff2ed.exe
Size

932KB
MD5

2b67c3f030726dba320254df422f3646
SHA1

d20b167f289b8f2f4c3e6d1f807df05b295c2848
SHA256

9bcb6f54e1779d34b2e3d4fdd4454037f346448481b44f847c6fb936152ff2ed
SHA512

6c39c767832adabcbea97eb35c8027b8152592a6286b08b07a75a6836201fee556469733744864b68ca808bca5aad24547c38ed5017a498fd5d0466c647b7a7a
SSDEEP

12288:MOQNMIt3+hioijxOcaGW/v7EeEfvnJUC2+6zI4cHkYaG6U5SqFS4609bCFrZd:LWMIMhiop+4wzfvT2dMINbU5zFQmUz

Score

9^/10

bootkit persistence

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 3 IoCs

resource	yara_rule
behavioral1/memory/2912-3-0x0000000000400000-0x00000000004EE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2912-4-0x0000000000400000-0x00000000004EE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2912-7-0x0000000000400000-0x000000000046F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	9bcb6f54e1779d34b2e3d4fdd4454037f346448481b44f847c6fb936152ff2ed.exe

C:\Users\Admin\AppData\Local\Temp\9bcb6f54e1779d34b2e3d4fdd4454037f346448481b44f847c6fb936152ff2ed.exe
"C:\Users\Admin\AppData\Local\Temp\9bcb6f54e1779d34b2e3d4fdd4454037f346448481b44f847c6fb936152ff2ed.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2912-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2912-1-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/2912-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2912-3-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2912-4-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2912-6-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2912-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads