7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe
Size

2.3MB
MD5

1bc1d1ef30250b9716a4975271b93154
SHA1

820bb3102bfe232d8270d0214912568ebdf64b49
SHA256

7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70
SHA512

700f974b5ba452ffff36818cc294aa4f60865bafae31987214a1ef3ecbcddabc43cc89d44de2a71ae930ea680af02814a47e3e9626584a9a5eaee57e452ca972
SSDEEP

49152:EySrGORAQcP4sK2JXaz2iAdo/cNatLbhhZoSdJHcZ2IxzT:5SrLlce2ZazSoENobhhnFTIB

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe
2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe
Token: SeIncreaseQuotaPrivilege	6736	WMIC.exe
Token: SeSecurityPrivilege	6736	WMIC.exe
Token: SeTakeOwnershipPrivilege	6736	WMIC.exe
Token: SeLoadDriverPrivilege	6736	WMIC.exe
Token: SeSystemProfilePrivilege	6736	WMIC.exe
Token: SeSystemtimePrivilege	6736	WMIC.exe
Token: SeProfSingleProcessPrivilege	6736	WMIC.exe
Token: SeIncBasePriorityPrivilege	6736	WMIC.exe
Token: SeCreatePagefilePrivilege	6736	WMIC.exe
Token: SeBackupPrivilege	6736	WMIC.exe
Token: SeRestorePrivilege	6736	WMIC.exe
Token: SeShutdownPrivilege	6736	WMIC.exe
Token: SeDebugPrivilege	6736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6736	WMIC.exe
Token: SeRemoteShutdownPrivilege	6736	WMIC.exe
Token: SeUndockPrivilege	6736	WMIC.exe
Token: SeManageVolumePrivilege	6736	WMIC.exe
Token: 33	6736	WMIC.exe
Token: 34	6736	WMIC.exe
Token: 35	6736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6736	WMIC.exe
Token: SeSecurityPrivilege	6736	WMIC.exe
Token: SeTakeOwnershipPrivilege	6736	WMIC.exe
Token: SeLoadDriverPrivilege	6736	WMIC.exe
Token: SeSystemProfilePrivilege	6736	WMIC.exe
Token: SeSystemtimePrivilege	6736	WMIC.exe
Token: SeProfSingleProcessPrivilege	6736	WMIC.exe
Token: SeIncBasePriorityPrivilege	6736	WMIC.exe
Token: SeCreatePagefilePrivilege	6736	WMIC.exe
Token: SeBackupPrivilege	6736	WMIC.exe
Token: SeRestorePrivilege	6736	WMIC.exe
Token: SeShutdownPrivilege	6736	WMIC.exe
Token: SeDebugPrivilege	6736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6736	WMIC.exe
Token: SeRemoteShutdownPrivilege	6736	WMIC.exe
Token: SeUndockPrivilege	6736	WMIC.exe
Token: SeManageVolumePrivilege	6736	WMIC.exe
Token: 33	6736	WMIC.exe
Token: 34	6736	WMIC.exe
Token: 35	6736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7588	WMIC.exe
Token: SeSecurityPrivilege	7588	WMIC.exe
Token: SeTakeOwnershipPrivilege	7588	WMIC.exe
Token: SeLoadDriverPrivilege	7588	WMIC.exe
Token: SeSystemProfilePrivilege	7588	WMIC.exe
Token: SeSystemtimePrivilege	7588	WMIC.exe
Token: SeProfSingleProcessPrivilege	7588	WMIC.exe
Token: SeIncBasePriorityPrivilege	7588	WMIC.exe
Token: SeCreatePagefilePrivilege	7588	WMIC.exe
Token: SeBackupPrivilege	7588	WMIC.exe
Token: SeRestorePrivilege	7588	WMIC.exe
Token: SeShutdownPrivilege	7588	WMIC.exe
Token: SeDebugPrivilege	7588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7588	WMIC.exe
Token: SeRemoteShutdownPrivilege	7588	WMIC.exe
Token: SeUndockPrivilege	7588	WMIC.exe
Token: SeManageVolumePrivilege	7588	WMIC.exe
Token: 33	7588	WMIC.exe
Token: 34	7588	WMIC.exe
Token: 35	7588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7588	WMIC.exe
Token: SeSecurityPrivilege	7588	WMIC.exe
Token: SeTakeOwnershipPrivilege	7588	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe
2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe
2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe
2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe
2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 6712	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	30
PID 2352 wrote to memory of 6712	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	30
PID 2352 wrote to memory of 6712	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	30
PID 2352 wrote to memory of 6712	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	30
PID 6712 wrote to memory of 6736	6712	cmd.exe	32
PID 6712 wrote to memory of 6736	6712	cmd.exe	32
PID 6712 wrote to memory of 6736	6712	cmd.exe	32
PID 6712 wrote to memory of 6736	6712	cmd.exe	32
PID 2352 wrote to memory of 6780	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	34
PID 2352 wrote to memory of 6780	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	34
PID 2352 wrote to memory of 6780	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	34
PID 2352 wrote to memory of 6780	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	34
PID 6780 wrote to memory of 7588	6780	cmd.exe	36
PID 6780 wrote to memory of 7588	6780	cmd.exe	36
PID 6780 wrote to memory of 7588	6780	cmd.exe	36
PID 6780 wrote to memory of 7588	6780	cmd.exe	36
PID 2352 wrote to memory of 7604	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	37
PID 2352 wrote to memory of 7604	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	37
PID 2352 wrote to memory of 7604	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	37
PID 2352 wrote to memory of 7604	2352	7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe	37
PID 7604 wrote to memory of 7612	7604	cmd.exe	39
PID 7604 wrote to memory of 7612	7604	cmd.exe	39
PID 7604 wrote to memory of 7612	7604	cmd.exe	39
PID 7604 wrote to memory of 7612	7604	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe
"C:\Users\Admin\AppData\Local\Temp\7bff585baeb946991d50d5ca92701d2759e0be8abf5ef945b06544964a2c3d70.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic cpu get name/value
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6712
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name/value
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6780
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic Path Win32_DisplayConfiguration get DeviceName/value
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:7588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:7604
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2352-0-0x0000000000400000-0x0000000000872000-memory.dmp

Filesize
4.4MB

Download
memory/2352-1-0x00000000773E0000-0x0000000077427000-memory.dmp

Filesize
284KB

Download
memory/2352-503-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-510-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-516-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-520-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-526-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-530-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-536-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-546-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-562-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-564-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-560-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-558-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-556-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-554-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-552-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-550-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-548-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-544-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-542-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-540-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-538-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-534-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-532-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-528-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-524-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-522-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-518-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-514-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-512-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-508-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-506-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-504-0x00000000026B0000-0x00000000027C1000-memory.dmp

Filesize
1.1MB

Download
memory/2352-2239-0x0000000002520000-0x00000000026A1000-memory.dmp

Filesize
1.5MB

Download
memory/2352-7792-0x0000000000400000-0x0000000000872000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads