006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe
Size

2.4MB
MD5

dc78b858ee8619d20abab7c958ca7144
SHA1

5c091ec3ce31e24e68bd257f868a0c9ee9b06de9
SHA256

006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c
SHA512

c8eb2ec2f540d12941d38a7f7654716dd3949cc1a77754ff4b5d5f14a323c1a536059a065d377a16218863d7c157f614e4c1d39d34bbfd981a2348e662182544
SSDEEP

49152:JoNgRf9tTkvqHWzKVcBd6o6nt2rK09G4lyo0ZacSiLUswRI/CIJb:J+Qf7cqA0bt2rK09cohiLUbQJJb

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe
2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe
Token: SeIncreaseQuotaPrivilege	10612	WMIC.exe
Token: SeSecurityPrivilege	10612	WMIC.exe
Token: SeTakeOwnershipPrivilege	10612	WMIC.exe
Token: SeLoadDriverPrivilege	10612	WMIC.exe
Token: SeSystemProfilePrivilege	10612	WMIC.exe
Token: SeSystemtimePrivilege	10612	WMIC.exe
Token: SeProfSingleProcessPrivilege	10612	WMIC.exe
Token: SeIncBasePriorityPrivilege	10612	WMIC.exe
Token: SeCreatePagefilePrivilege	10612	WMIC.exe
Token: SeBackupPrivilege	10612	WMIC.exe
Token: SeRestorePrivilege	10612	WMIC.exe
Token: SeShutdownPrivilege	10612	WMIC.exe
Token: SeDebugPrivilege	10612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	10612	WMIC.exe
Token: SeRemoteShutdownPrivilege	10612	WMIC.exe
Token: SeUndockPrivilege	10612	WMIC.exe
Token: SeManageVolumePrivilege	10612	WMIC.exe
Token: 33	10612	WMIC.exe
Token: 34	10612	WMIC.exe
Token: 35	10612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	10612	WMIC.exe
Token: SeSecurityPrivilege	10612	WMIC.exe
Token: SeTakeOwnershipPrivilege	10612	WMIC.exe
Token: SeLoadDriverPrivilege	10612	WMIC.exe
Token: SeSystemProfilePrivilege	10612	WMIC.exe
Token: SeSystemtimePrivilege	10612	WMIC.exe
Token: SeProfSingleProcessPrivilege	10612	WMIC.exe
Token: SeIncBasePriorityPrivilege	10612	WMIC.exe
Token: SeCreatePagefilePrivilege	10612	WMIC.exe
Token: SeBackupPrivilege	10612	WMIC.exe
Token: SeRestorePrivilege	10612	WMIC.exe
Token: SeShutdownPrivilege	10612	WMIC.exe
Token: SeDebugPrivilege	10612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	10612	WMIC.exe
Token: SeRemoteShutdownPrivilege	10612	WMIC.exe
Token: SeUndockPrivilege	10612	WMIC.exe
Token: SeManageVolumePrivilege	10612	WMIC.exe
Token: 33	10612	WMIC.exe
Token: 34	10612	WMIC.exe
Token: 35	10612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	10752	WMIC.exe
Token: SeSecurityPrivilege	10752	WMIC.exe
Token: SeTakeOwnershipPrivilege	10752	WMIC.exe
Token: SeLoadDriverPrivilege	10752	WMIC.exe
Token: SeSystemProfilePrivilege	10752	WMIC.exe
Token: SeSystemtimePrivilege	10752	WMIC.exe
Token: SeProfSingleProcessPrivilege	10752	WMIC.exe
Token: SeIncBasePriorityPrivilege	10752	WMIC.exe
Token: SeCreatePagefilePrivilege	10752	WMIC.exe
Token: SeBackupPrivilege	10752	WMIC.exe
Token: SeRestorePrivilege	10752	WMIC.exe
Token: SeShutdownPrivilege	10752	WMIC.exe
Token: SeDebugPrivilege	10752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	10752	WMIC.exe
Token: SeRemoteShutdownPrivilege	10752	WMIC.exe
Token: SeUndockPrivilege	10752	WMIC.exe
Token: SeManageVolumePrivilege	10752	WMIC.exe
Token: 33	10752	WMIC.exe
Token: 34	10752	WMIC.exe
Token: 35	10752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	10752	WMIC.exe
Token: SeSecurityPrivilege	10752	WMIC.exe
Token: SeTakeOwnershipPrivilege	10752	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe
2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe
2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe
2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe
2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 10580	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	28
PID 2292 wrote to memory of 10580	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	28
PID 2292 wrote to memory of 10580	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	28
PID 2292 wrote to memory of 10580	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	28
PID 10580 wrote to memory of 10612	10580	cmd.exe	30
PID 10580 wrote to memory of 10612	10580	cmd.exe	30
PID 10580 wrote to memory of 10612	10580	cmd.exe	30
PID 10580 wrote to memory of 10612	10580	cmd.exe	30
PID 2292 wrote to memory of 10728	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	32
PID 2292 wrote to memory of 10728	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	32
PID 2292 wrote to memory of 10728	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	32
PID 2292 wrote to memory of 10728	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	32
PID 10728 wrote to memory of 10752	10728	cmd.exe	34
PID 10728 wrote to memory of 10752	10728	cmd.exe	34
PID 10728 wrote to memory of 10752	10728	cmd.exe	34
PID 10728 wrote to memory of 10752	10728	cmd.exe	34
PID 2292 wrote to memory of 10784	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	35
PID 2292 wrote to memory of 10784	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	35
PID 2292 wrote to memory of 10784	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	35
PID 2292 wrote to memory of 10784	2292	006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe	35
PID 10784 wrote to memory of 10808	10784	cmd.exe	37
PID 10784 wrote to memory of 10808	10784	cmd.exe	37
PID 10784 wrote to memory of 10808	10784	cmd.exe	37
PID 10784 wrote to memory of 10808	10784	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe
"C:\Users\Admin\AppData\Local\Temp\006d858bd4cc987dce20565d811ea5ad9b00f49ae33ed0f73f29f8bbd9203c9c.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic cpu get name/value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10580
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name/value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:10612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10728
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic Path Win32_DisplayConfiguration get DeviceName/value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:10752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:10784
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
    3⤵
    PID:10808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2292-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2292-1-0x0000000075E80000-0x0000000075EC7000-memory.dmp

Filesize
284KB

Download
memory/2292-503-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-520-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-530-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-504-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-506-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-508-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-510-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-536-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-534-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-532-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-528-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-526-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-544-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-546-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-524-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-550-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-552-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-522-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-518-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-516-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-515-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-512-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-562-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-566-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-564-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-560-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-558-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-556-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-555-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-548-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-542-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-540-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-538-0x0000000002820000-0x0000000002931000-memory.dmp

Filesize
1.1MB

Download
memory/2292-7792-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads