Analysis
-
max time kernel
28s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
26-05-2024 13:00
Errors
Reason
Machine shutdown
General
-
Target
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe
-
Size
4.6MB
-
MD5
3163018748a2654f8a4f163ddef28a70
-
SHA1
578ff40fcf01877dd1f481f556d1c97b5e50c191
-
SHA256
36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a
-
SHA512
db6bcff1a28560d696cff104bdf87787e4673f22489257ff77f8ab14a71d3aeb568b0c1a8df32b8e1cb17d05e6fa339a7261761c8dde0845f697023eef76b07d
-
SSDEEP
98304:/kUz/fTQSl103cP+7AVqETc5X0XxzXsVrFrJ24fiE:lzvl10PA4MM0Xxzw2Op
Score
6/10
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe"C:\Users\Admin\AppData\Local\Temp\36d695e2dc5f58e1766c4e77a41414491e87eca29e0c249a7c4fc91866f3b21a.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic path Win32_ComputerSystemProduct get uuid /value2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path Win32_ComputerSystemProduct get uuid /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic path Win32_ComputerSystemProduct get uuid /value2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path Win32_ComputerSystemProduct get uuid /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic path Win32_ComputerSystemProduct get uuid /value2⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3959055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3756-0-0x0000000000400000-0x000000000119D4A4-memory.dmpFilesize
13.6MB
-
memory/3756-1-0x0000000000400000-0x000000000119D4A4-memory.dmpFilesize
13.6MB