a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5

Analysis

max time kernel
130s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
Size

3.0MB
MD5

5ec5d73080895ed27c93393be528d120
SHA1

0e8c161071a9df698a708ead9291ea40948262cc
SHA256

a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5
SHA512

72ae16e629681bc66cfd3cc970988c795dbd0847e92afc720e0eefb382f75ceb6323b587c4705b3cbb5d18605a3d7853b8af3aa2ae9aee9d1a64a9976493b321
SSDEEP

49152:FCqMIggR/WTWEZLBl/MhPdNixtcjY8TlXHZnECI5zzxskHdYUTNnJa6K7W:gfIggBWT9ZsdN6688TlXHZwmkHrpJaxW

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe

description ioc process

File opened for modification \??\PhysicalDrive0 a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe

pid	process
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
3600	a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe

pid process

3600 a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe

C:\Users\Admin\AppData\Local\Temp\a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe
"C:\Users\Admin\AppData\Local\Temp\a1f95048c6fe37ea7ccbf27f8b3baf922a0edcb472b6794cc1fbefa0f97083b5.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads