Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-10-2024 22:21
General
-
Target
winpirate-master/Tools/winaudit/WinAudit.exe
-
Size
1.6MB
-
MD5
92ade3b6212b1e6ec3ee3a140cbf80ac
-
SHA1
2a6fe60418f85d42c04204063be3b23e23722b60
-
SHA256
56f4763af00801c5eb80c39f141a563069669def9f98c1798c0f4b4094f34821
-
SHA512
ec5bf40c6674959c2754ad72ef66b44b04d6dcf6c3a57d96416553e82fd54d241e16995a65dbd2c2c87b5e6724f0a9e2b09d7492cc9b3e109d62705c4b9d7ec0
-
SSDEEP
24576:UJ6mtXMwELTFr2YAPilNa7Dg7E5SRS5vg914lLihcRuyM1SOQj:mtXMjLJrzqiTOEMVflLi+RuyM1SOQj
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\winpirate-master\Tools\winaudit\WinAudit.exe"C:\Users\Admin\AppData\Local\Temp\winpirate-master\Tools\winaudit\WinAudit.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Remote Services: SMB/Windows Admin Shares
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵