Overview

overview

7

Static

static

3

8b52f08ea5...dN.exe

windows7-x64

7

8b52f08ea5...dN.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    15s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b52f08ea571964e542781190341352eaff60bb59d1c753318281987e2beeefdN.exe

  • Size

    4.5MB

  • MD5

    53ee1540be7973bb9faef6609eae6b40

  • SHA1

    2780ca31c48d28346e040d06e1341a28351aa1be

  • SHA256

    8b52f08ea571964e542781190341352eaff60bb59d1c753318281987e2beeefd

  • SHA512

    c801c77431845f4228dc11b0da2c2ee8f52b4be7cf2c695407198bb97200daee89c63ec3c7626638bc55a2f3598a0befd2cca606fe9b7088742475a2d338ba83

  • SSDEEP

    98304:RIGQJSTCuRY/keyYe/Ex1FVFL8IBGJKEDNn4qbUUSnRomB5:aGpzUymxNFL83l+q7g

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b52f08ea571964e542781190341352eaff60bb59d1c753318281987e2beeefdN.exe
    "C:\Users\Admin\AppData\Local\Temp\8b52f08ea571964e542781190341352eaff60bb59d1c753318281987e2beeefdN.exe"
    1⤵
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Falconcy.bat" "
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im 8b52f08ea571964e542781190341352eaff60bb59d1c753318281987e2beeefdN.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3112
      • C:\Windows\system32\timeout.exe
        timeout /t 0
        3⤵
        • Delays execution with timeout.exe
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Falconcy.bat
    Filesize

    246B

    MD5

    7dd2d110545d195f01d44181e2cd892e

    SHA1

    bd8d97c9fbba9189337f249500b7290828553d97

    SHA256

    44b834991f4948adc3a359f27d1c3c21f6876ccf9a3d76b5eae0d52ca4b0c41d

    SHA512

    1c7f1d6fd13470d3eb0283e816b9e053f7938c3f419fd8f260a2e75e615260e9b137b7aba4a5199972d90c68e425a3cb03e09e25aa722e8d56a5248f99a947b8

    Download Submit

  • memory/3052-6-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3052-3-0x0000000077CE0000-0x0000000077CE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3052-1-0x0000000077CE0000-0x0000000077CE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3052-10-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3052-8-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3052-0-0x00000001403E4000-0x000000014067C000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3052-11-0x0000000140000000-0x0000000140AF6000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/3052-15-0x0000000140000000-0x0000000140AF6000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/3052-16-0x0000000140000000-0x0000000140AF6000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/3052-17-0x0000000140000000-0x0000000140AF6000-memory.dmp

    Filesize

    11.0MB

    Download

  • memory/3052-5-0x0000000077CE0000-0x0000000077CE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3052-85-0x00000001403E4000-0x000000014067C000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3052-86-0x0000000140000000-0x0000000140AF6000-memory.dmp

    Filesize

    11.0MB

    Download