d086ec01d175e527e948536f996f9ba56227c21a37df62fbd7e57e4d724e5fbd

Analysis

max time kernel
395s
max time network
373s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalwareDatabase-master.zip
Size

234.4MB
MD5

d4f679b3b5516b295aa6a749c21bd9fe
SHA1

dbe6e8abae54bc5e8a55a2dc285568f38eb47f07
SHA256

d086ec01d175e527e948536f996f9ba56227c21a37df62fbd7e57e4d724e5fbd
SHA512

8be87051cd906f639e5e67156be52e0fd11e50ec821e2fa3a2c1fb075e41b88cd14d31799400c37745ce2cfee4285a16a4b4a7eeed35e21df95381103b20d630
SSDEEP

6291456:xnoDaIYzC3FZwNoD3W9GkTC2/5is6D31MZ:loDXpD3edC2/5i5MZ

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

[email protected]

description ioc process

File opened for modification \??\PhysicalDrive0 [email protected]

description	ioc	process
File opened for modification	\??\PhysicalDrive0	[email protected]

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zFM.exeAUDIODG.EXE[email protected]

description	pid	process
Token: SeRestorePrivilege	2672	7zFM.exe
Token: 35	2672	7zFM.exe
Token: SeSecurityPrivilege	2672	7zFM.exe
Token: 33	2036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2036	AUDIODG.EXE
Token: 33	2036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2036	AUDIODG.EXE
Token: SeShutdownPrivilege	2604	[email protected]

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

2672 7zFM.exe
2672 7zFM.exe

pid	process
2672	7zFM.exe
2672	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MalwareDatabase-master.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2672

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads