Overview

overview

8

Static

static

5

X.exe

windows11-21h2-x64

Analysis

  • max time kernel
    0s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-11-2024 07:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    X.exe

  • Size

    102KB

  • MD5

    d89f31f22563eb0fdf3828f4df78ed4f

  • SHA1

    7a2a4c411831ebc8a474a68caa810117545f6a0e

  • SHA256

    72ea0305c64249657bc7be7ffefe6403a74f6bed8c90ef191b7f04d7175d9c8f

  • SHA512

    29826d851433b8603e923bc81da066662f6bb107564feb8e1ae9bb344138c2ab4ec7157595aefcec248feb1caa51285293dae927f2ab66b60b7bd8a17e2a2569

  • SSDEEP

    1536:T/LHGj7cvtORUxy6rlp65LkgZqARZW7wIUg9rF0ZzV0imYFU47o9Tuui:7LHCcvMRUc6JcsA677sZ6vYFx7oZo

Score
8/10
bootkitdiscoveryexploitpersistenceupx

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\X.exe
    "C:\Users\Admin\AppData\Local\Temp\X.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\SYSTEM32\manage-bde.exe
      manage-bde -on C: -EncryptionMethod AES-256
      2⤵
        PID:3384
      • C:\Windows\SYSTEM32\takeown.exe
        takeown /f D:\ /r /d Y
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1060
      • C:\Windows\SYSTEM32\icacls.exe
        icacls D:\ /grant Everyone:F /t /c /l
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4424
      • C:\Windows\SYSTEM32\takeown.exe
        takeown /f C:\ /r /d Y
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4236
      • C:\Windows\SYSTEM32\icacls.exe
        icacls C:\ /grant Everyone:F /t /c /l
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2196
      • C:\Windows\SYSTEM32\taskkill.exe
        taskkill /F /T /IM LsaIso.exe
        2⤵
        • Kills process with taskkill
        PID:1160
      • C:\Windows\SYSTEM32\taskkill.exe
        taskkill /F /T /IM svchost.exe
        2⤵
        • Kills process with taskkill
        PID:3396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4192-0-0x00007FF7E8760000-0x00007FF7E8791000-memory.dmp

      Filesize

      196KB

      Download

    • memory/4192-2-0x00007FF7E8760000-0x00007FF7E8791000-memory.dmp

      Filesize

      196KB

      Download