Malware Analysis Report

2024-10-18 22:06

Sample ID 240611-ry7dcszhle
Target [email protected]
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

Threat Level: Shows suspicious behavior

The file [email protected] was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 14:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 14:37

Reported

2024-06-11 14:38

Platform

win7-20240508-en

Max time kernel

3s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/1224-0-0x000000002AA00000-0x000000002AA24000-memory.dmp

\Users\Admin\AppData\Local\Temp\sys3.exe

MD5 70108103a53123201ceb2e921fcfe83c
SHA1 c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512 996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

memory/1224-9-0x000000002AA00000-0x000000002AA24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\systm.txt

MD5 ab7368e081dc109f4133ffd943c98b74
SHA1 1847691b3535b25f368389327543392eafd3e4fa
SHA256 6c2c3417ded140721c60368f64f02b4d4ed5f39b528450b75d2475da4b80c1ae
SHA512 e59e763b66ab716a72d3121d8a8b9b6a2dd4beb89e949202ae55ef0a1cef316d56071df8a41a587c605d1575c18f2f4f3a41d2cb174a89558722e9730a913912

memory/2580-12-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/2524-13-0x0000000002B30000-0x0000000002B31000-memory.dmp