188006f5267e1ef35fcff67ab8d013cb95f72e3f450861500da60ef5c969a346

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PZI_R5P92.exe
Size

123KB
MD5

671d98a5b272d01c604d57f925318c04
SHA1

4198c3513259a401a9e459cf73a6d0a9097ab525
SHA256

188006f5267e1ef35fcff67ab8d013cb95f72e3f450861500da60ef5c969a346
SHA512

dddf1ca71f1c6943dba2cdf1e2355fb2b4c7d64ea8aeef6217d4bedc7b7cbdae1910e3acfa97801d4f6ef71ca8c1fd3b250af94f546d86e057bda0a1b6a2a162
SSDEEP

3072:Zk6LYvJhtPwcP49AGlJ6ZYtQhQg2SCf38CVjqsyGIwhKfzOC334chqDIq/ZigP:26MxhpwFeG36mN8NDLrZU0IZigP

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	PZI_R5P92.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1168	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1168	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 5080	2564	PZI_R5P92.exe	88
PID 2564 wrote to memory of 5080	2564	PZI_R5P92.exe	88
PID 2564 wrote to memory of 5080	2564	PZI_R5P92.exe	88
PID 5080 wrote to memory of 264	5080	cmd.exe	89
PID 5080 wrote to memory of 264	5080	cmd.exe	89
PID 5080 wrote to memory of 264	5080	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe
"C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /f takeown /f C:WindowsSystem32 >nul && icacls C:WindowsSystem32 /grant "%username%:F" >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /f takeown /f C:WindowsSystem32
    3⤵
    PID:264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads