Analysis
-
max time kernel
133s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
Resource
win10v2004-20240508-en
General
-
Target
33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
-
Size
6.0MB
-
MD5
5d5b93f25b42d83ccbe3b6d99f1ec66e
-
SHA1
6eb2a4ac6861856eddd1ab0be1ecb655153948a8
-
SHA256
33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918
-
SHA512
b8c93db5c3838859c549c8da3b43152525a0849b1262a03e251d6c1d0096048dd33bb1382fcd1ff1e54305caf7ba0d97ea32994f961b59e2e43b26ea647c730f
-
SSDEEP
98304:TuBRQ2yBDa74Y15sPc9q/Un5TJ5yNivnAa/6D6J+oTpEBUQGA1Ypvm:s15TJMSBGjtGA18v
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4440 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe -
Kills process with taskkill 1 IoCs
pid Process 4296 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4296 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4972 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 4972 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 4440 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 4440 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4972 wrote to memory of 4520 4972 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 92 PID 4972 wrote to memory of 4520 4972 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 92 PID 4972 wrote to memory of 4520 4972 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe 92 PID 4520 wrote to memory of 4296 4520 cmd.exe 94 PID 4520 wrote to memory of 4296 4520 cmd.exe 94 PID 4520 wrote to memory of 4296 4520 cmd.exe 94 PID 4520 wrote to memory of 4440 4520 cmd.exe 97 PID 4520 wrote to memory of 4440 4520 cmd.exe 97 PID 4520 wrote to memory of 4440 4520 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &start "" "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &exit2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"3⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4440
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:81⤵PID:3116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5031ad1ecd93701d39265771942ec716c
SHA1cb3ef507bf0e848894fbb96a29bfc94a0c302152
SHA2569a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba
SHA512374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae