713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
Size

7.7MB
MD5

e2b515dbf84c2027b9ac3491ff09480e
SHA1

0a5043b3069dd8584205977ba52f43c970bfb898
SHA256

713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc
SHA512

a09c0c33f6b5afd19e86b3252aba3d718ab94697599f91e8d24e18fe365ff93954a4c0299844687b4c997811a65f2a7672cc88f83128c8a5aeabeb6d91404110
SSDEEP

196608:Ei9O9nK/HbZ49RBmVE0vv8xMxGaU/4hBDf8sxrVWCTYKUAAlw:m9K/HbZ49WVfXwydfxrVW8Uxw

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
928	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\configs.ini	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
928	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
928	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
928	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
928	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
928	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
928	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
928	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
928	713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe

C:\Users\Admin\AppData\Local\Temp\713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe
"C:\Users\Admin\AppData\Local\Temp\713a88bfb22911a3403d35c754fa64d00efae0cbf3ec190f3ac09839f5ca6ffc.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-0-0x000000000079F000-0x0000000000BE3000-memory.dmp

Filesize
4.3MB

Download
memory/928-2-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/928-1-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/928-6-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/928-12-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/928-9-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/928-8-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/928-13-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/928-5-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/928-4-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/928-3-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/928-7-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/928-14-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/928-15-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/928-16-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/928-18-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/928-19-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/928-20-0x0000000000400000-0x0000000001393000-memory.dmp

Filesize
15.6MB

Download
memory/928-21-0x000000000079F000-0x0000000000BE3000-memory.dmp

Filesize
4.3MB

Download