713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
Size

7.7MB
MD5

e2b515dbf84c2027b9ac3491ff09480e
SHA1

0a5043b3069dd8584205977ba52f43c970bfb898
SHA256

713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc
SHA512

a09c0c33f6b5afd19e86b3252aba3d718ab94697599f91e8d24e18fe365ff93954a4c0299844687b4c997811a65f2a7672cc88f83128c8a5aeabeb6d91404110
SSDEEP

196608:Ei9O9nK/HbZ49RBmVE0vv8xMxGaU/4hBDf8sxrVWCTYKUAAlw:m9K/HbZ49WVfXwydfxrVW8Uxw

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2884	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\configs.ini	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
2884	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2884	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
2884	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
2884	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
2884	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

C:\Users\Admin\AppData\Local\Temp\713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
"C:\Users\Admin\AppData\Local\Temp\713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2884-0-0x000000000079F000-0x0000000000BE3000-memory.dmp

Filesize
4.3MB

Download
memory/2884-21-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2884-26-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2884-41-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2884-39-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2884-37-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2884-36-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2884-34-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2884-46-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2884-32-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2884-31-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2884-29-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2884-24-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2884-20-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2884-18-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2884-15-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2884-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2884-10-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2884-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2884-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2884-47-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2884-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2884-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2884-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2884-49-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2884-50-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2884-51-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2884-52-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/2884-53-0x000000000079F000-0x0000000000BE3000-memory.dmp

Filesize
4.3MB

Download