188006f5267e1ef35fcff67ab8d013cb95f72e3f450861500da60ef5c969a346

Analysis

max time kernel
136s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PZI_R5P92.exe
Size

123KB
MD5

671d98a5b272d01c604d57f925318c04
SHA1

4198c3513259a401a9e459cf73a6d0a9097ab525
SHA256

188006f5267e1ef35fcff67ab8d013cb95f72e3f450861500da60ef5c969a346
SHA512

dddf1ca71f1c6943dba2cdf1e2355fb2b4c7d64ea8aeef6217d4bedc7b7cbdae1910e3acfa97801d4f6ef71ca8c1fd3b250af94f546d86e057bda0a1b6a2a162
SSDEEP

3072:Zk6LYvJhtPwcP49AGlJ6ZYtQhQg2SCf38CVjqsyGIwhKfzOC334chqDIq/ZigP:26MxhpwFeG36mN8NDLrZU0IZigP

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	PZI_R5P92.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2688	AUDIODG.EXE
Token: 33	2688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2688	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2772	2976	PZI_R5P92.exe	31
PID 2976 wrote to memory of 2772	2976	PZI_R5P92.exe	31
PID 2976 wrote to memory of 2772	2976	PZI_R5P92.exe	31
PID 2976 wrote to memory of 2772	2976	PZI_R5P92.exe	31
PID 2772 wrote to memory of 2784	2772	cmd.exe	32
PID 2772 wrote to memory of 2784	2772	cmd.exe	32
PID 2772 wrote to memory of 2784	2772	cmd.exe	32
PID 2772 wrote to memory of 2784	2772	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe
"C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /f takeown /f C:WindowsSystem32 >nul && icacls C:WindowsSystem32 /grant "%username%:F" >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /f takeown /f C:WindowsSystem32
    3⤵
    PID:2784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x7c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads