Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe
Resource
win10v2004-20240426-en
General
-
Target
4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe
-
Size
5.9MB
-
MD5
1c6d1e90ee7c7ce20fd3c8be4dcc24f2
-
SHA1
2214ea98bb34bbbc5781f2150c36e9aa75534cab
-
SHA256
4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c
-
SHA512
e7b9f7559d4f291c16fcc10b2a3c882295324d4f166779db62ad6996885c1636c574ab7eca3a6b2d658f73257f36a6966f2134af1ab466d12732ee958b3075cd
-
SSDEEP
98304:muBRQ2yBDa74Y15sPc9q/Un5TJ5yNivnAa/6D6J+oTpEBUQGA1Ypvm:j15TJMSBGjtGA18v
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2164 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe -
Kills process with taskkill 1 IoCs
pid Process 4580 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4580 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4144 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 4144 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 2164 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 2164 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4144 wrote to memory of 2036 4144 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 84 PID 4144 wrote to memory of 2036 4144 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 84 PID 4144 wrote to memory of 2036 4144 4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe 84 PID 2036 wrote to memory of 4580 2036 cmd.exe 86 PID 2036 wrote to memory of 4580 2036 cmd.exe 86 PID 2036 wrote to memory of 4580 2036 cmd.exe 86 PID 2036 wrote to memory of 2164 2036 cmd.exe 88 PID 2036 wrote to memory of 2164 2036 cmd.exe 88 PID 2036 wrote to memory of 2164 2036 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe" &start "" "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe" &exit2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"4b65976bb96e78fd4f16ba4c1cdddc1f6c5202a53cba52abcd28f5fb4a30ac7c.exe"3⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5031ad1ecd93701d39265771942ec716c
SHA1cb3ef507bf0e848894fbb96a29bfc94a0c302152
SHA2569a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba
SHA512374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae