26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe
Size

14.9MB
MD5

76b2fc40769689455303764527e69aa8
SHA1

688e05dc834fa66dba8ba7d7e19ad52e0eb2d1a2
SHA256

26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756
SHA512

742c3991198693c8b596f42926fd582091ae2a5ca3dc43c08fd9bd2ff73d7b639db4e5e4e75ff427b536d4797ec11dfecf875e47f9f53843b083457b48f0f316
SSDEEP

393216:wgKtWvY83DTZhifTO69l42BO/jJrSF9WjfA:wCZt69W2A/gzWTA

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe

pid	process
2028	26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe
2028	26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe

description ioc process

File opened for modification \??\PhysicalDrive0 26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2660 2028 WerFault.exe 26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe

pid	pid_target	process	target process
2660	2028	WerFault.exe	26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe

description	pid	process	target process
PID 2028 wrote to memory of 2660	2028	26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe	WerFault.exe
PID 2028 wrote to memory of 2660	2028	26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe	WerFault.exe
PID 2028 wrote to memory of 2660	2028	26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe	WerFault.exe
PID 2028 wrote to memory of 2660	2028	26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe
"C:\Users\Admin\AppData\Local\Temp\26a40782040216e2fc0333e5f287e2f50d3611b0962153fd0a6740c2521d4756.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 852
2⤵
- Program crash
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\netul.dll

Filesize
1.9MB

MD5
47f5fe83659f9ea0c7b204a3e76f78b1

SHA1
cc1e2e5e7601473e69a28f4ab4a7ed29a07dbada

SHA256
e834072d776786c0a9336225b18a1b4da91f3fd056277af61ba97a203c8bbb5a

SHA512
18c50b839b40b5706da9b0b948ea7ea85718cd38cd463d44750fa608ac14a1b45eb498c5d73460f4b67c9d9677fc3227be0ca48024aaf2b76dcebd09900e5e64

Download Submit
\Users\Admin\AppData\Local\Temp\{21A7F603-3968-4ecf-B085-52C89CA20D2B}.tmp\7z.dll

Filesize
1.1MB

MD5
e88522eb3a28fde2182a67e9e03566c9

SHA1
dfce7b03a4dda7f655b813884e8be685e428887a

SHA256
1d0784c649107d74957fd11274dde22fefc8235869f8365fb1b39e46b96eca3c

SHA512
477d90a3194f7d41e5eb988e72eb8ffd8c0198f3d5e2fa4eb77a683dfb3846c5c8d4129df53bab5e2c277217b2e9f98366ccccdc46d674fb52c5a998d697e7c5

Download Submit
memory/2028-19-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download