8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe
Size

2.4MB
MD5

e17aefe831d5f047372ba7810b711c48
SHA1

524435d95713a9e3cd3e039ef786a0c0dcbf3f46
SHA256

8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760
SHA512

e9a08d9c6621837bbe4c1e89462721a6166f17bbeb966b84d6442f4db077f06659108003386859ac3ef937abf0adfd37b2bbd2ab7fedfbb9fa67efbbbb1517ae
SSDEEP

49152:JoNgRf9tTkvqHWzKVcBd6o6nt2rK09G4lyo0ZacSiLUswRI/CIJH:J+Qf7cqA0bt2rK09cohiLUbQJJH

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe
1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe
Token: SeIncreaseQuotaPrivilege	11408	WMIC.exe
Token: SeSecurityPrivilege	11408	WMIC.exe
Token: SeTakeOwnershipPrivilege	11408	WMIC.exe
Token: SeLoadDriverPrivilege	11408	WMIC.exe
Token: SeSystemProfilePrivilege	11408	WMIC.exe
Token: SeSystemtimePrivilege	11408	WMIC.exe
Token: SeProfSingleProcessPrivilege	11408	WMIC.exe
Token: SeIncBasePriorityPrivilege	11408	WMIC.exe
Token: SeCreatePagefilePrivilege	11408	WMIC.exe
Token: SeBackupPrivilege	11408	WMIC.exe
Token: SeRestorePrivilege	11408	WMIC.exe
Token: SeShutdownPrivilege	11408	WMIC.exe
Token: SeDebugPrivilege	11408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	11408	WMIC.exe
Token: SeRemoteShutdownPrivilege	11408	WMIC.exe
Token: SeUndockPrivilege	11408	WMIC.exe
Token: SeManageVolumePrivilege	11408	WMIC.exe
Token: 33	11408	WMIC.exe
Token: 34	11408	WMIC.exe
Token: 35	11408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	11408	WMIC.exe
Token: SeSecurityPrivilege	11408	WMIC.exe
Token: SeTakeOwnershipPrivilege	11408	WMIC.exe
Token: SeLoadDriverPrivilege	11408	WMIC.exe
Token: SeSystemProfilePrivilege	11408	WMIC.exe
Token: SeSystemtimePrivilege	11408	WMIC.exe
Token: SeProfSingleProcessPrivilege	11408	WMIC.exe
Token: SeIncBasePriorityPrivilege	11408	WMIC.exe
Token: SeCreatePagefilePrivilege	11408	WMIC.exe
Token: SeBackupPrivilege	11408	WMIC.exe
Token: SeRestorePrivilege	11408	WMIC.exe
Token: SeShutdownPrivilege	11408	WMIC.exe
Token: SeDebugPrivilege	11408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	11408	WMIC.exe
Token: SeRemoteShutdownPrivilege	11408	WMIC.exe
Token: SeUndockPrivilege	11408	WMIC.exe
Token: SeManageVolumePrivilege	11408	WMIC.exe
Token: 33	11408	WMIC.exe
Token: 34	11408	WMIC.exe
Token: 35	11408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	11512	WMIC.exe
Token: SeSecurityPrivilege	11512	WMIC.exe
Token: SeTakeOwnershipPrivilege	11512	WMIC.exe
Token: SeLoadDriverPrivilege	11512	WMIC.exe
Token: SeSystemProfilePrivilege	11512	WMIC.exe
Token: SeSystemtimePrivilege	11512	WMIC.exe
Token: SeProfSingleProcessPrivilege	11512	WMIC.exe
Token: SeIncBasePriorityPrivilege	11512	WMIC.exe
Token: SeCreatePagefilePrivilege	11512	WMIC.exe
Token: SeBackupPrivilege	11512	WMIC.exe
Token: SeRestorePrivilege	11512	WMIC.exe
Token: SeShutdownPrivilege	11512	WMIC.exe
Token: SeDebugPrivilege	11512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	11512	WMIC.exe
Token: SeRemoteShutdownPrivilege	11512	WMIC.exe
Token: SeUndockPrivilege	11512	WMIC.exe
Token: SeManageVolumePrivilege	11512	WMIC.exe
Token: 33	11512	WMIC.exe
Token: 34	11512	WMIC.exe
Token: 35	11512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	11512	WMIC.exe
Token: SeSecurityPrivilege	11512	WMIC.exe
Token: SeTakeOwnershipPrivilege	11512	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe
1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe
1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe
1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe
1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 11384	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	28
PID 1056 wrote to memory of 11384	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	28
PID 1056 wrote to memory of 11384	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	28
PID 1056 wrote to memory of 11384	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	28
PID 11384 wrote to memory of 11408	11384	cmd.exe	30
PID 11384 wrote to memory of 11408	11384	cmd.exe	30
PID 11384 wrote to memory of 11408	11384	cmd.exe	30
PID 11384 wrote to memory of 11408	11384	cmd.exe	30
PID 1056 wrote to memory of 11488	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	32
PID 1056 wrote to memory of 11488	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	32
PID 1056 wrote to memory of 11488	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	32
PID 1056 wrote to memory of 11488	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	32
PID 11488 wrote to memory of 11512	11488	cmd.exe	34
PID 11488 wrote to memory of 11512	11488	cmd.exe	34
PID 11488 wrote to memory of 11512	11488	cmd.exe	34
PID 11488 wrote to memory of 11512	11488	cmd.exe	34
PID 1056 wrote to memory of 11544	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	35
PID 1056 wrote to memory of 11544	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	35
PID 1056 wrote to memory of 11544	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	35
PID 1056 wrote to memory of 11544	1056	8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe	35
PID 11544 wrote to memory of 11568	11544	cmd.exe	37
PID 11544 wrote to memory of 11568	11544	cmd.exe	37
PID 11544 wrote to memory of 11568	11544	cmd.exe	37
PID 11544 wrote to memory of 11568	11544	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe
"C:\Users\Admin\AppData\Local\Temp\8faa39645a93063dba6029b7375ebecfa6fde50d5343f872041296b4374b1760.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic cpu get name/value
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:11384
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name/value
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:11408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:11488
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic Path Win32_DisplayConfiguration get DeviceName/value
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:11512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:11544
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1056-1-0x0000000075910000-0x0000000075957000-memory.dmp

Filesize
284KB

Download
memory/1056-504-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-503-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-506-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-560-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-508-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-510-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-512-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-514-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-516-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-518-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-520-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-522-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-524-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-526-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-528-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-530-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-532-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-534-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-536-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-538-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-540-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-542-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-544-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-546-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-548-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-550-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-552-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-554-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-556-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-558-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-562-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-564-0x0000000002710000-0x0000000002821000-memory.dmp

Filesize
1.1MB

Download
memory/1056-2239-0x0000000002580000-0x0000000002701000-memory.dmp

Filesize
1.5MB

Download
memory/1056-7792-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads