e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe
Size

2.4MB
MD5

cec712e185b0cbb78e1a2afce9dee0fc
SHA1

f42955d357864b416276dc35672ec556f95071af
SHA256

e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3
SHA512

fc346f5615a5cd453c612b0418623bc39e0b96252bc301ff209b7b15ba3b9b45dd4fdcd2fbc5576519529bc69c7be91b630b9f88ef007cd0d482619550fe9b8e
SSDEEP

49152:JoNgRf9tTkvqHWzKVcBd6o6nt2rK09G4lyo0ZacSiLUswRI/CIJI:J+Qf7cqA0bt2rK09cohiLUbQJJI

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe
1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe
1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe
Token: SeIncreaseQuotaPrivilege	10788	WMIC.exe
Token: SeSecurityPrivilege	10788	WMIC.exe
Token: SeTakeOwnershipPrivilege	10788	WMIC.exe
Token: SeLoadDriverPrivilege	10788	WMIC.exe
Token: SeSystemProfilePrivilege	10788	WMIC.exe
Token: SeSystemtimePrivilege	10788	WMIC.exe
Token: SeProfSingleProcessPrivilege	10788	WMIC.exe
Token: SeIncBasePriorityPrivilege	10788	WMIC.exe
Token: SeCreatePagefilePrivilege	10788	WMIC.exe
Token: SeBackupPrivilege	10788	WMIC.exe
Token: SeRestorePrivilege	10788	WMIC.exe
Token: SeShutdownPrivilege	10788	WMIC.exe
Token: SeDebugPrivilege	10788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	10788	WMIC.exe
Token: SeRemoteShutdownPrivilege	10788	WMIC.exe
Token: SeUndockPrivilege	10788	WMIC.exe
Token: SeManageVolumePrivilege	10788	WMIC.exe
Token: 33	10788	WMIC.exe
Token: 34	10788	WMIC.exe
Token: 35	10788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	10788	WMIC.exe
Token: SeSecurityPrivilege	10788	WMIC.exe
Token: SeTakeOwnershipPrivilege	10788	WMIC.exe
Token: SeLoadDriverPrivilege	10788	WMIC.exe
Token: SeSystemProfilePrivilege	10788	WMIC.exe
Token: SeSystemtimePrivilege	10788	WMIC.exe
Token: SeProfSingleProcessPrivilege	10788	WMIC.exe
Token: SeIncBasePriorityPrivilege	10788	WMIC.exe
Token: SeCreatePagefilePrivilege	10788	WMIC.exe
Token: SeBackupPrivilege	10788	WMIC.exe
Token: SeRestorePrivilege	10788	WMIC.exe
Token: SeShutdownPrivilege	10788	WMIC.exe
Token: SeDebugPrivilege	10788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	10788	WMIC.exe
Token: SeRemoteShutdownPrivilege	10788	WMIC.exe
Token: SeUndockPrivilege	10788	WMIC.exe
Token: SeManageVolumePrivilege	10788	WMIC.exe
Token: 33	10788	WMIC.exe
Token: 34	10788	WMIC.exe
Token: 35	10788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	10896	WMIC.exe
Token: SeSecurityPrivilege	10896	WMIC.exe
Token: SeTakeOwnershipPrivilege	10896	WMIC.exe
Token: SeLoadDriverPrivilege	10896	WMIC.exe
Token: SeSystemProfilePrivilege	10896	WMIC.exe
Token: SeSystemtimePrivilege	10896	WMIC.exe
Token: SeProfSingleProcessPrivilege	10896	WMIC.exe
Token: SeIncBasePriorityPrivilege	10896	WMIC.exe
Token: SeCreatePagefilePrivilege	10896	WMIC.exe
Token: SeBackupPrivilege	10896	WMIC.exe
Token: SeRestorePrivilege	10896	WMIC.exe
Token: SeShutdownPrivilege	10896	WMIC.exe
Token: SeDebugPrivilege	10896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	10896	WMIC.exe
Token: SeRemoteShutdownPrivilege	10896	WMIC.exe
Token: SeUndockPrivilege	10896	WMIC.exe
Token: SeManageVolumePrivilege	10896	WMIC.exe
Token: 33	10896	WMIC.exe
Token: 34	10896	WMIC.exe
Token: 35	10896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	10896	WMIC.exe
Token: SeSecurityPrivilege	10896	WMIC.exe
Token: SeTakeOwnershipPrivilege	10896	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe
1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe
1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe
1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe
1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 10764	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	28
PID 1976 wrote to memory of 10764	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	28
PID 1976 wrote to memory of 10764	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	28
PID 1976 wrote to memory of 10764	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	28
PID 10764 wrote to memory of 10788	10764	cmd.exe	30
PID 10764 wrote to memory of 10788	10764	cmd.exe	30
PID 10764 wrote to memory of 10788	10764	cmd.exe	30
PID 10764 wrote to memory of 10788	10764	cmd.exe	30
PID 1976 wrote to memory of 10872	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	32
PID 1976 wrote to memory of 10872	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	32
PID 1976 wrote to memory of 10872	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	32
PID 1976 wrote to memory of 10872	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	32
PID 10872 wrote to memory of 10896	10872	cmd.exe	34
PID 10872 wrote to memory of 10896	10872	cmd.exe	34
PID 10872 wrote to memory of 10896	10872	cmd.exe	34
PID 10872 wrote to memory of 10896	10872	cmd.exe	34
PID 1976 wrote to memory of 10928	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	35
PID 1976 wrote to memory of 10928	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	35
PID 1976 wrote to memory of 10928	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	35
PID 1976 wrote to memory of 10928	1976	e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe	35
PID 10928 wrote to memory of 10952	10928	cmd.exe	37
PID 10928 wrote to memory of 10952	10928	cmd.exe	37
PID 10928 wrote to memory of 10952	10928	cmd.exe	37
PID 10928 wrote to memory of 10952	10928	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe
"C:\Users\Admin\AppData\Local\Temp\e03f3440c2892c475f8d6d6d9367d113367b61f7a2fa686db006809a1cfb81f3.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic cpu get name/value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10764
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name/value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:10788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10872
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic Path Win32_DisplayConfiguration get DeviceName/value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:10896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10928
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
    3⤵
    PID:10952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1976-1-0x0000000076730000-0x0000000076777000-memory.dmp

Filesize
284KB

Download
memory/1976-503-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-508-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-532-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-556-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-504-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-506-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-564-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-562-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-560-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-558-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-554-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-552-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-550-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-548-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-546-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-544-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-542-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-540-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-538-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-536-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-534-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-530-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-528-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-527-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-524-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-522-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-520-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-518-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-516-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-514-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-512-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-510-0x0000000002870000-0x0000000002981000-memory.dmp

Filesize
1.1MB

Download
memory/1976-2239-0x00000000025C0000-0x0000000002741000-memory.dmp

Filesize
1.5MB

Download
memory/1976-7852-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads