079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe
Size

2.4MB
MD5

2b53b920631d78e969567a53473a42d4
SHA1

2397bbe6acd90b5cd5444d7709600ac3d5ef3938
SHA256

079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5
SHA512

7e8b299237307d63bc3261b9b2e32505a353d74be793345b6b449079ab409978b7f6e84906a4bae6e7fdbf96e022fe0a70c0551b30d726e84841edeaca3fac63
SSDEEP

49152:JoNgRf9tTkvqHWzKVcBd6o6nt2rK09G4lyo0ZacSiLUswRI/CIJh:J+Qf7cqA0bt2rK09cohiLUbQJJh

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe
2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe
Token: SeIncreaseQuotaPrivilege	8404	WMIC.exe
Token: SeSecurityPrivilege	8404	WMIC.exe
Token: SeTakeOwnershipPrivilege	8404	WMIC.exe
Token: SeLoadDriverPrivilege	8404	WMIC.exe
Token: SeSystemProfilePrivilege	8404	WMIC.exe
Token: SeSystemtimePrivilege	8404	WMIC.exe
Token: SeProfSingleProcessPrivilege	8404	WMIC.exe
Token: SeIncBasePriorityPrivilege	8404	WMIC.exe
Token: SeCreatePagefilePrivilege	8404	WMIC.exe
Token: SeBackupPrivilege	8404	WMIC.exe
Token: SeRestorePrivilege	8404	WMIC.exe
Token: SeShutdownPrivilege	8404	WMIC.exe
Token: SeDebugPrivilege	8404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8404	WMIC.exe
Token: SeRemoteShutdownPrivilege	8404	WMIC.exe
Token: SeUndockPrivilege	8404	WMIC.exe
Token: SeManageVolumePrivilege	8404	WMIC.exe
Token: 33	8404	WMIC.exe
Token: 34	8404	WMIC.exe
Token: 35	8404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	8404	WMIC.exe
Token: SeSecurityPrivilege	8404	WMIC.exe
Token: SeTakeOwnershipPrivilege	8404	WMIC.exe
Token: SeLoadDriverPrivilege	8404	WMIC.exe
Token: SeSystemProfilePrivilege	8404	WMIC.exe
Token: SeSystemtimePrivilege	8404	WMIC.exe
Token: SeProfSingleProcessPrivilege	8404	WMIC.exe
Token: SeIncBasePriorityPrivilege	8404	WMIC.exe
Token: SeCreatePagefilePrivilege	8404	WMIC.exe
Token: SeBackupPrivilege	8404	WMIC.exe
Token: SeRestorePrivilege	8404	WMIC.exe
Token: SeShutdownPrivilege	8404	WMIC.exe
Token: SeDebugPrivilege	8404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8404	WMIC.exe
Token: SeRemoteShutdownPrivilege	8404	WMIC.exe
Token: SeUndockPrivilege	8404	WMIC.exe
Token: SeManageVolumePrivilege	8404	WMIC.exe
Token: 33	8404	WMIC.exe
Token: 34	8404	WMIC.exe
Token: 35	8404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	8544	WMIC.exe
Token: SeSecurityPrivilege	8544	WMIC.exe
Token: SeTakeOwnershipPrivilege	8544	WMIC.exe
Token: SeLoadDriverPrivilege	8544	WMIC.exe
Token: SeSystemProfilePrivilege	8544	WMIC.exe
Token: SeSystemtimePrivilege	8544	WMIC.exe
Token: SeProfSingleProcessPrivilege	8544	WMIC.exe
Token: SeIncBasePriorityPrivilege	8544	WMIC.exe
Token: SeCreatePagefilePrivilege	8544	WMIC.exe
Token: SeBackupPrivilege	8544	WMIC.exe
Token: SeRestorePrivilege	8544	WMIC.exe
Token: SeShutdownPrivilege	8544	WMIC.exe
Token: SeDebugPrivilege	8544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8544	WMIC.exe
Token: SeRemoteShutdownPrivilege	8544	WMIC.exe
Token: SeUndockPrivilege	8544	WMIC.exe
Token: SeManageVolumePrivilege	8544	WMIC.exe
Token: 33	8544	WMIC.exe
Token: 34	8544	WMIC.exe
Token: 35	8544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	8544	WMIC.exe
Token: SeSecurityPrivilege	8544	WMIC.exe
Token: SeTakeOwnershipPrivilege	8544	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe
2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe
2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe
2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe
2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 8380	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	28
PID 2804 wrote to memory of 8380	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	28
PID 2804 wrote to memory of 8380	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	28
PID 2804 wrote to memory of 8380	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	28
PID 8380 wrote to memory of 8404	8380	cmd.exe	30
PID 8380 wrote to memory of 8404	8380	cmd.exe	30
PID 8380 wrote to memory of 8404	8380	cmd.exe	30
PID 8380 wrote to memory of 8404	8380	cmd.exe	30
PID 2804 wrote to memory of 8520	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	32
PID 2804 wrote to memory of 8520	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	32
PID 2804 wrote to memory of 8520	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	32
PID 2804 wrote to memory of 8520	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	32
PID 8520 wrote to memory of 8544	8520	cmd.exe	34
PID 8520 wrote to memory of 8544	8520	cmd.exe	34
PID 8520 wrote to memory of 8544	8520	cmd.exe	34
PID 8520 wrote to memory of 8544	8520	cmd.exe	34
PID 2804 wrote to memory of 8580	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	35
PID 2804 wrote to memory of 8580	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	35
PID 2804 wrote to memory of 8580	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	35
PID 2804 wrote to memory of 8580	2804	079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe	35
PID 8580 wrote to memory of 8604	8580	cmd.exe	37
PID 8580 wrote to memory of 8604	8580	cmd.exe	37
PID 8580 wrote to memory of 8604	8580	cmd.exe	37
PID 8580 wrote to memory of 8604	8580	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe
"C:\Users\Admin\AppData\Local\Temp\079cc5a99ea2643d768233b580b1e7756790dd565568974b3dc801ef7e69a8d5.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic cpu get name/value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8380
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name/value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8520
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic Path Win32_DisplayConfiguration get DeviceName/value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8580
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
    3⤵
    PID:8604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2804-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2804-1-0x0000000074E80000-0x0000000074EC7000-memory.dmp

Filesize
284KB

Download
memory/2804-503-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-526-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-524-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-522-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-520-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-519-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-538-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-540-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-542-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-544-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-516-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-514-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-512-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-510-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-508-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-506-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-504-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-528-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-560-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-562-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-564-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-558-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-556-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-554-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-552-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-550-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-548-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-546-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-536-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-534-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-532-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-530-0x0000000002840000-0x0000000002951000-memory.dmp

Filesize
1.1MB

Download
memory/2804-2239-0x0000000002590000-0x0000000002711000-memory.dmp

Filesize
1.5MB

Download
memory/2804-7992-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads