Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
Resource
win10v2004-20240508-en
General
-
Target
33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
-
Size
6.0MB
-
MD5
5d5b93f25b42d83ccbe3b6d99f1ec66e
-
SHA1
6eb2a4ac6861856eddd1ab0be1ecb655153948a8
-
SHA256
33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918
-
SHA512
b8c93db5c3838859c549c8da3b43152525a0849b1262a03e251d6c1d0096048dd33bb1382fcd1ff1e54305caf7ba0d97ea32994f961b59e2e43b26ea647c730f
-
SSDEEP
98304:TuBRQ2yBDa74Y15sPc9q/Un5TJ5yNivnAa/6D6J+oTpEBUQGA1Ypvm:s15TJMSBGjtGA18v
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2608 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe -
Kills process with taskkill 1 IoCs
pid Process 2616 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2616 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2128 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 2128 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 2608 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 2608 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2492 2128 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 28 PID 2128 wrote to memory of 2492 2128 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 28 PID 2128 wrote to memory of 2492 2128 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 28 PID 2128 wrote to memory of 2492 2128 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 28 PID 2492 wrote to memory of 2616 2492 cmd.exe 30 PID 2492 wrote to memory of 2616 2492 cmd.exe 30 PID 2492 wrote to memory of 2616 2492 cmd.exe 30 PID 2492 wrote to memory of 2616 2492 cmd.exe 30 PID 2492 wrote to memory of 2608 2492 cmd.exe 32 PID 2492 wrote to memory of 2608 2492 cmd.exe 32 PID 2492 wrote to memory of 2608 2492 cmd.exe 32 PID 2492 wrote to memory of 2608 2492 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &start "" "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &exit2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"3⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5031ad1ecd93701d39265771942ec716c
SHA1cb3ef507bf0e848894fbb96a29bfc94a0c302152
SHA2569a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba
SHA512374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae