5c4d8b86d7a87afd63480fff2541c51fd089f4d43905364f2f653095ca024594

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$R0.exe
Size

3.0MB
MD5

a08fd6b425099dc32db7318fc9a78591
SHA1

660653eba914c23702f9b25d52e3d6cdeadd8726
SHA256

b2ad90b6d449a756f13391e414b6497706b86f58906ae339070481a8c240e91f
SHA512

02e99b8e884c0ee84e1fdaf6926a8156e4cf4bcef1709fd8c86ca8968190d6870840d79e37e4d507d1dcd6e84aca45f7ad71a9c7b90c42a149dd7f259809a6dd
SSDEEP

49152:LQr1Prz8LG9mg2Un4EI608/v0JV14uEZCIh12AAPUosg:cvT9mg2Un4F8/8JguEZC4qP97

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	$R0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	1876	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$R0.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1876	$R0.exe
1876	$R0.exe
1876	$R0.exe
1876	$R0.exe
1876	$R0.exe
1876	$R0.exe
1876	$R0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1876	$R0.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1876	$R0.exe
1876	$R0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2648	1876	$R0.exe	31
PID 1876 wrote to memory of 2648	1876	$R0.exe	31
PID 1876 wrote to memory of 2648	1876	$R0.exe	31
PID 1876 wrote to memory of 2648	1876	$R0.exe	31

C:\Users\Admin\AppData\Local\Temp\$R0.exe
"C:\Users\Admin\AppData\Local\Temp\$R0.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1392
  2⤵
  - Program crash
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-0-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1876-4-0x0000000075804000-0x0000000075805000-memory.dmp

Filesize
4KB

Download
memory/1876-5-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download
memory/1876-8-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1876-9-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1876-26-0x00000000757F0000-0x0000000075900000-memory.dmp

Filesize
1.1MB

Download