Overview

overview

7

Static

static

3

3e2e1e6bce...18.exe

windows7-x64

7

3e2e1e6bce...18.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$R0.exe

windows7-x64

6

$R0.exe

windows10-2004-x64

6

StartPage/$R0.html

windows7-x64

1

StartPage/$R0.html

windows10-2004-x64

1

StartPage/Local/ie.js

windows7-x64

3

StartPage/Local/ie.js

windows10-2004-x64

3

StartPage/...e.html

windows7-x64

1

StartPage/...e.html

windows10-2004-x64

1

StartPage/...k.html

windows7-x64

1

StartPage/...k.html

windows10-2004-x64

1

StartPage/...x.html

windows7-x64

1

StartPage/...x.html

windows10-2004-x64

1

StartPage/Local/wk.js

windows7-x64

3

StartPage/Local/wk.js

windows10-2004-x64

3

StartPage/...x.html

windows7-x64

1

StartPage/...x.html

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/07/2024, 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $R0.exe

  • Size

    3.0MB

  • MD5

    202f948151cd7738196cabfac6866829

  • SHA1

    d330ab04076fc628d74919da02a21040df8a9683

  • SHA256

    07558bed88e2a291c6b2dfad6e538a114b344b95bdba46d21a96c3eb79f8b2c9

  • SHA512

    698d1c561e56b0102bc4538ae69d47de636348ec3cab90f6572a309b9b12199927cc595b38a5db3101e1024fe594a7ba805b50327c46281a28cd02824055f09c

  • SSDEEP

    49152:Spul+gUMSUQGNkyzKiIImN8uh8A/nRJHV2AAPUo4M:r67GNkyzKp8uh8gn/1qP9z

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$R0.exe
    "C:\Users\Admin\AppData\Local\Temp\$R0.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1288
      2⤵
      • Program crash
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2092-0-0x000000006FFF0000-0x0000000070000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2092-4-0x00000000765A4000-0x00000000765A5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2092-7-0x000000006FFF0000-0x0000000070000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2092-8-0x0000000076590000-0x00000000766A0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2092-9-0x000000006FFF0000-0x0000000070000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2092-24-0x0000000076590000-0x00000000766A0000-memory.dmp

    Filesize

    1.1MB

    Download