8fca9bc0b179fd0b103a73e60dcaa2abe7d7da80822b90ef5d8f32dfc9f742aa

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Token.exe
Size

63KB
MD5

a40b38a36f2ee380e9f8a150429a0450
SHA1

853c33a4bde71f05b8965b551ee5926c9d8df51f
SHA256

8fca9bc0b179fd0b103a73e60dcaa2abe7d7da80822b90ef5d8f32dfc9f742aa
SHA512

df331dfb90e19bc0bb4edcabb86eca4c263a6c67ba98c44d5892a81ed93b83cd8c9f4e21cb267495077c6691d3ffc0d464d5e4b0ca86c68c11a1ae0b322eb1c2
SSDEEP

1536:cG+t9ngoNh7gVUfmgFNoiBU+TkThv5Iw1EOxxj:cG+lguBFB2FTsw1EOx5

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Token.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AF\ResultCheck.txt	Token.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Token.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3592	Token.exe
3592	Token.exe
3592	Token.exe
3592	Token.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4580	WMIC.exe
Token: SeSecurityPrivilege	4580	WMIC.exe
Token: SeTakeOwnershipPrivilege	4580	WMIC.exe
Token: SeLoadDriverPrivilege	4580	WMIC.exe
Token: SeSystemProfilePrivilege	4580	WMIC.exe
Token: SeSystemtimePrivilege	4580	WMIC.exe
Token: SeProfSingleProcessPrivilege	4580	WMIC.exe
Token: SeIncBasePriorityPrivilege	4580	WMIC.exe
Token: SeCreatePagefilePrivilege	4580	WMIC.exe
Token: SeBackupPrivilege	4580	WMIC.exe
Token: SeRestorePrivilege	4580	WMIC.exe
Token: SeShutdownPrivilege	4580	WMIC.exe
Token: SeDebugPrivilege	4580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4580	WMIC.exe
Token: SeRemoteShutdownPrivilege	4580	WMIC.exe
Token: SeUndockPrivilege	4580	WMIC.exe
Token: SeManageVolumePrivilege	4580	WMIC.exe
Token: 33	4580	WMIC.exe
Token: 34	4580	WMIC.exe
Token: 35	4580	WMIC.exe
Token: 36	4580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4580	WMIC.exe
Token: SeSecurityPrivilege	4580	WMIC.exe
Token: SeTakeOwnershipPrivilege	4580	WMIC.exe
Token: SeLoadDriverPrivilege	4580	WMIC.exe
Token: SeSystemProfilePrivilege	4580	WMIC.exe
Token: SeSystemtimePrivilege	4580	WMIC.exe
Token: SeProfSingleProcessPrivilege	4580	WMIC.exe
Token: SeIncBasePriorityPrivilege	4580	WMIC.exe
Token: SeCreatePagefilePrivilege	4580	WMIC.exe
Token: SeBackupPrivilege	4580	WMIC.exe
Token: SeRestorePrivilege	4580	WMIC.exe
Token: SeShutdownPrivilege	4580	WMIC.exe
Token: SeDebugPrivilege	4580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4580	WMIC.exe
Token: SeRemoteShutdownPrivilege	4580	WMIC.exe
Token: SeUndockPrivilege	4580	WMIC.exe
Token: SeManageVolumePrivilege	4580	WMIC.exe
Token: 33	4580	WMIC.exe
Token: 34	4580	WMIC.exe
Token: 35	4580	WMIC.exe
Token: 36	4580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeSecurityPrivilege	1152	WMIC.exe
Token: SeTakeOwnershipPrivilege	1152	WMIC.exe
Token: SeLoadDriverPrivilege	1152	WMIC.exe
Token: SeSystemProfilePrivilege	1152	WMIC.exe
Token: SeSystemtimePrivilege	1152	WMIC.exe
Token: SeProfSingleProcessPrivilege	1152	WMIC.exe
Token: SeIncBasePriorityPrivilege	1152	WMIC.exe
Token: SeCreatePagefilePrivilege	1152	WMIC.exe
Token: SeBackupPrivilege	1152	WMIC.exe
Token: SeRestorePrivilege	1152	WMIC.exe
Token: SeShutdownPrivilege	1152	WMIC.exe
Token: SeDebugPrivilege	1152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1152	WMIC.exe
Token: SeRemoteShutdownPrivilege	1152	WMIC.exe
Token: SeUndockPrivilege	1152	WMIC.exe
Token: SeManageVolumePrivilege	1152	WMIC.exe
Token: 33	1152	WMIC.exe
Token: 34	1152	WMIC.exe
Token: 35	1152	WMIC.exe
Token: 36	1152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2564	3592	Token.exe	84
PID 3592 wrote to memory of 2564	3592	Token.exe	84
PID 3592 wrote to memory of 2564	3592	Token.exe	84
PID 2564 wrote to memory of 4580	2564	cmd.exe	85
PID 2564 wrote to memory of 4580	2564	cmd.exe	85
PID 2564 wrote to memory of 4580	2564	cmd.exe	85
PID 3592 wrote to memory of 4768	3592	Token.exe	88
PID 3592 wrote to memory of 4768	3592	Token.exe	88
PID 3592 wrote to memory of 4768	3592	Token.exe	88
PID 4768 wrote to memory of 1152	4768	cmd.exe	89
PID 4768 wrote to memory of 1152	4768	cmd.exe	89
PID 4768 wrote to memory of 1152	4768	cmd.exe	89
PID 3592 wrote to memory of 3868	3592	Token.exe	91
PID 3592 wrote to memory of 3868	3592	Token.exe	91
PID 3592 wrote to memory of 3868	3592	Token.exe	91
PID 3868 wrote to memory of 4280	3868	cmd.exe	92
PID 3868 wrote to memory of 4280	3868	cmd.exe	92
PID 3868 wrote to memory of 4280	3868	cmd.exe	92
PID 3592 wrote to memory of 4500	3592	Token.exe	97
PID 3592 wrote to memory of 4500	3592	Token.exe	97
PID 3592 wrote to memory of 4500	3592	Token.exe	97

C:\Users\Admin\AppData\Local\Temp\Token.exe
"C:\Users\Admin\AppData\Local\Temp\Token.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get serialnumber >> \s3g8.
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get processorid >> \s3g8.1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber >> \s3g8.2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TRPPE7V2\cek[1].htm

Filesize
15B

MD5
045d1fab8c7c07f8b623aec8546afd9c

SHA1
fd88c07af6de58bdc4b272e87407834d234abf53

SHA256
9adec26157e3bfaf4119dfddf2a619019d847000eb852d446e395adb8121fd94

SHA512
f59e30596275033886b6b81b087940c071bba57d5b40c41479eadca89a5947b63cf84e7bd1e1f435f20c3268a2a0c198721aff0d6555f2a11304896230048a55

Download Submit
C:\s3g8

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\s3g8.1

Filesize
62B

MD5
5fd4497719e0e0300234874b82948028

SHA1
79a508141429a3d7727ec5117013cc834450d838

SHA256
6b78ef4c1e67ff9ef2e24f1f0c97a7635df9bb50e9ca8a6d9a246014e049415b

SHA512
8fd289d630d05fd5ef4e9ef1d280e87253ee6044edfbdc1d372fcc23bd3a8a42a2591b9147a601dc405c24ddb1aed116cfa1bc374a69eaaa8e927dfc8984e49b

Download Submit
C:\s3g8.2

Filesize
66B

MD5
42c85d8a966006fec43d9e483beffb50

SHA1
bb3338248f34a93e9b9c4b408b1b3d5c0d988ac3

SHA256
a2ee84100d1e44208059581eb1c8f75c4d877b0dba1333114b5534de3e395788

SHA512
4b308183a625e7fb3b9ec9aa596a0326060e5ba9a438a5def78d22df08e2a9c12a23122326a632b595fa83715acee08f5b8c71897607cfb8ca8bacf5ad47a296

Download Submit