c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 04:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Size

1.9MB
MD5

223bb663a1d40839aa22ae2cafa4136c
SHA1

0fa2eb3e9e71f7fe4a7d73db1c06257281ffb778
SHA256

c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6
SHA512

528f71a66a1a1aa4650b56668e40f8505ae0cb4224e6573ec38349f6fa940d7e31bfe38cb4921fd0ebbca134ea47dd98aa7c431f37a9789b775878ef3b6a07dc
SSDEEP

49152:cUfD7NPis1Y2vBb/+kCXkpEiH9ZM1hqe3mrhuyBSiiEMl:Zf//1PvUkMV+ZM1zwhuyBXW

Score

6^/10

bootkit persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
File opened (read-only)	\??\E:	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
File opened (read-only)	\??\F:	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1784	Bcdedit.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeBackupPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeRestorePrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: 33	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeIncBasePriorityPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeCreateGlobalPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeSystemEnvironmentPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: 33	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeIncBasePriorityPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: 33	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeIncBasePriorityPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: 33	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeIncBasePriorityPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeDebugPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeDebugPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: 33	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeIncBasePriorityPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeBackupPrivilege	940	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeRestorePrivilege	940	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: 33	940	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeIncBasePriorityPrivilege	940	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeDebugPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeRestorePrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeSecurityPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeTakeOwnershipPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeBackupPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: 33	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
Token: SeIncBasePriorityPrivilege	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 1452	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	28
PID 2896 wrote to memory of 1452	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	28
PID 2896 wrote to memory of 1452	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	28
PID 2896 wrote to memory of 1452	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	28
PID 2896 wrote to memory of 1784	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	30
PID 2896 wrote to memory of 1784	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	30
PID 2896 wrote to memory of 1784	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	30
PID 2896 wrote to memory of 1784	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	30
PID 2896 wrote to memory of 2908	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	32
PID 2896 wrote to memory of 2908	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	32
PID 2896 wrote to memory of 2908	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	32
PID 2896 wrote to memory of 2908	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	32
PID 2896 wrote to memory of 940	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	34
PID 2896 wrote to memory of 940	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	34
PID 2896 wrote to memory of 940	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	34
PID 2896 wrote to memory of 940	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	34
PID 2896 wrote to memory of 940	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	34
PID 2896 wrote to memory of 940	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	34
PID 2896 wrote to memory of 940	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	34
PID 2896 wrote to memory of 1096	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	35
PID 2896 wrote to memory of 1096	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	35
PID 2896 wrote to memory of 1096	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	35
PID 2896 wrote to memory of 1096	2896	c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe	35

C:\Users\Admin\AppData\Local\Temp\c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
"C:\Users\Admin\AppData\Local\Temp\c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\Bcdboot.exe
  Bcdboot_EXE /help
  2⤵
  PID:1452
- C:\Windows\System32\Bcdedit.exe
  Bcdedit_EXE /help
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1784
- C:\Windows\System32\Dism.exe
  Deployment_EXE /English /help
  2⤵
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\c6f8f9ba17b61786837804303a96d9282b137542afbc89a916143762142376a6.exe
  PECMD**pecmd-cmd* SHOW =1 &
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\Dism.exe
  DISM_EXE /English /Help
  2⤵
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WIT_VMDInfo.log

Filesize
462B

MD5
3d8fe964a83e80ed98d67b092ef57979

SHA1
e9c7a1d8be13e06b61b551116ae0209a786e07f8

SHA256
1c8f21eb7da39877be1062caeaa3c70a5ed48892c2b0a29c00f789c7446a518d

SHA512
ccdeeb08ee7e8eb7539bf12848fa69d58d3d76f1c94b26718c151f33835839fe433f12d2afbb56e14c6979614415030d4049b47ce9a1305afba8b6af5b3049bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIT_VMDInfo.log

Filesize
3KB

MD5
93136277b572ce5294e5da762abab483

SHA1
d0744f3976c1168a13704e2b717b4197fe73f9a3

SHA256
db6af2d318377aa22a7af7cc4e5d3df7df708a458cf890031a34cb458090de1c

SHA512
80e15f657f2a2f0fd36987364a8d12a2007f7d5a124e9a5b6758f613dddfc68618c26d8ad4fa01030d036991685e921a4dd5d9fb1d71db0d7a84ca43a15d862a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIT_VMDInfo.log

Filesize
4KB

MD5
f195dbc66cba3f0bcc32f0b98ae676c6

SHA1
69fd10977c4e3596f96a644122cd6d5d32d324ea

SHA256
daf49ca81e0da41931366280c848a88f158ae7eb6047d1232508cb2da24a2e66

SHA512
f63c978e505c0537038d7cd034d2c8eef9538e1e3bc06ec455ac7dcb3ed444ace1a4906722423110591bc009428bf1b6f17368c3fdfe0e4a7f6c9cb7552cbf67

Download Submit
memory/2896-2-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-3-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-23-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-25-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-27-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-26-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-24-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-22-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-21-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-28-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-29-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-30-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-31-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-34-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-38-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-59-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-115-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-112-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-109-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-105-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-95-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-90-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-77-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-75-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-73-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-72-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-134-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-138-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-133-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-129-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-141-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-70-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-69-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-68-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-67-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-66-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-65-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-64-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-62-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-61-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-58-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-57-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-55-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-54-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-52-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-53-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-51-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-50-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-49-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-48-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-47-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-46-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-45-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-44-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-43-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-42-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-41-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-40-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-39-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-60-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-37-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-36-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-35-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-33-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-32-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-19-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-18-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-17-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-15-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-14-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-13-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-12-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-9-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-20-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-16-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-7-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-583-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-580-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-598-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-599-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-608-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-609-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-610-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-611-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-612-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-613-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/2896-614-0x0000000002340000-0x0000000002440000-memory.dmp

Filesize
1024KB

Download
memory/2896-615-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads