47cf19204ed7b766915eaabdb2182d9b202f5eda072f9139e280557adfb1e86d

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client/SyncExpSim.exe
Size

872KB
MD5

c739012257f3881c23f3036394e373de
SHA1

6eb8456472b0e4f85c9205274b6de2e4beeb54a0
SHA256

23a5b7d89f8719ca758c565c5f74db518fe261087a8c71559be5ecf909131e97
SHA512

08bb4c419e7f0fd70353afec06d6e5e3a3c4abff08c6d20e5d6a4790f5be9daaea0e6b9233e78e3ffb3aa3dac7ad8b4cf9ed001c8d491dddab39972613e3ad3d
SSDEEP

12288:09f1XN9FGoGoK7d1uGmMg9NWSBS5qgS7UjAkonY4rfAo5OvSaNABsP/twf7mHEHp:cXN7H/NQwg4vjAouSaaBVfsEDt

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

SyncExpSim.exe

description ioc process

File opened for modification \??\physicaldrive0 SyncExpSim.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SyncExpSim.exe

description pid process

Token: 33 876 SyncExpSim.exe
Token: SeIncBasePriorityPrivilege 876 SyncExpSim.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	SyncExpSim.exe

description	pid	process
Token: 33	876	SyncExpSim.exe
Token: SeIncBasePriorityPrivilege	876	SyncExpSim.exe

C:\Users\Admin\AppData\Local\Temp\Client\SyncExpSim.exe
"C:\Users\Admin\AppData\Local\Temp\Client\SyncExpSim.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/876-1-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-2-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/876-4-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-5-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-6-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-7-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-8-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-9-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-10-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-11-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-12-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-13-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-14-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/876-15-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download