Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe
Resource
win10v2004-20240426-en
General
-
Target
4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe
-
Size
5.9MB
-
MD5
1c6d1e90ee7c7ce20fd3c8be4dcc24f2
-
SHA1
2214ea98bb34bbbc5781f2150c36e9aa75534cab
-
SHA256
4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c
-
SHA512
e7b9f7559d4f291c16fcc10b2a3c882295324d4f166779db62ad6996885c1636c574ab7eca3a6b2d658f73257f36a6966f2134af1ab466d12732ee958b3075cd
-
SSDEEP
98304:muBRQ2yBDa74Y15sPc9q/Un5TJ5yNivnAa/6D6J+oTpEBUQGA1Ypvm:j15TJMSBGjtGA18v
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2572 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe -
Kills process with taskkill 1 IoCs
pid Process 2168 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2168 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2936 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 2936 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 2572 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 2572 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2712 2936 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 28 PID 2936 wrote to memory of 2712 2936 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 28 PID 2936 wrote to memory of 2712 2936 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 28 PID 2936 wrote to memory of 2712 2936 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 28 PID 2712 wrote to memory of 2168 2712 cmd.exe 30 PID 2712 wrote to memory of 2168 2712 cmd.exe 30 PID 2712 wrote to memory of 2168 2712 cmd.exe 30 PID 2712 wrote to memory of 2168 2712 cmd.exe 30 PID 2712 wrote to memory of 2572 2712 cmd.exe 32 PID 2712 wrote to memory of 2572 2712 cmd.exe 32 PID 2712 wrote to memory of 2572 2712 cmd.exe 32 PID 2712 wrote to memory of 2572 2712 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe" &start "" "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe" &exit2⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"3⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5031ad1ecd93701d39265771942ec716c
SHA1cb3ef507bf0e848894fbb96a29bfc94a0c302152
SHA2569a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba
SHA512374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae