Overview

overview

10

Static

static

10

aaaa/enc.exe

windows7-x64

10

aaaa/info.docx

windows7-x64

4

aaaa/wiper.exe

windows7-x64

Analysis

  • max time kernel
    10s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 07:25

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    aaaa/wiper.exe

  • Size

    2.4MB

  • MD5

    ed5815ddad8188c198e0e52114173cb6

  • SHA1

    4a0b8c5fac5820a410670c01f41912094d7a5134

  • SHA256

    63a0a75c6b2e4bf8582578a1da1daeeb9d713dafbc2dbb690fefd84fd05994fa

  • SHA512

    fab3129ee8e1aaa19006c09757ef4eb2af4af58eec978ee2ab8a18ae848affc871e522b47d4f59314b15978c88255da9198639f74343f24da2550eff3ff9db3d

  • SSDEEP

    49152:TyKnmL7yc3OaL+rb/TnvO90d7HjmAFd4A64nsfJLSKYgy2YgDgvrAD1GYUI8NEVN:2N3OaFZEEV/eL2

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Drops desktop.ini file(s) 26 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aaaa\wiper.exe
    "C:\Users\Admin\AppData\Local\Temp\aaaa\wiper.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\system32\cmd.exe
      cmd.exe /c shutdown /S /T 0 /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\system32\shutdown.exe
        shutdown /S /T 0 /F
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1616
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1176
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1176-925-0x0000000002D80000-0x0000000002D81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2076-926-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

        Filesize

        4KB

        Download