Overview

overview

8

Static

static

5

X.exe

windows11-21h2-x64

Analysis

  • max time kernel
    0s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-11-2024 09:21

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    X.exe

  • Size

    102KB

  • MD5

    ee9f2554cdcbd39e2b39962f1e7afe36

  • SHA1

    a987a60fceec3b3e1bc14b5dcb7a8985af9bf61d

  • SHA256

    f3b4bae7a22377555872f096b9ec176220734206d932e34d0e00ab43aa7086e8

  • SHA512

    977ce766a806f81ac80e398810da229ca03992e270cc5d7fa258ac266d5bf6968b330354dfb29b8d5bc29927e54e0662878a44f523561590500880c36835fb68

  • SSDEEP

    1536:985VEH2aNU2o5DX776Nc8mSsQWUYXtJWi/t23z52s0imYFU47o9Tuui:9sE2aNU2WDX7+NEUri42vYFx7oZo

Score
8/10
bootkitdiscoveryexploitpersistenceupx

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\X.exe
    "C:\Users\Admin\AppData\Local\Temp\X.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\SYSTEM32\manage-bde.exe
      manage-bde -on C: -EncryptionMethod AES-256
      2⤵
        PID:3448
      • C:\Windows\SYSTEM32\takeown.exe
        takeown /f D:\ /r /d Y
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2140
      • C:\Windows\SYSTEM32\icacls.exe
        icacls D:\ /grant Everyone:F /t /c /l
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4992
      • C:\Windows\SYSTEM32\takeown.exe
        takeown /f C:\ /r /d Y
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4656
      • C:\Windows\SYSTEM32\icacls.exe
        icacls C:\ /grant Everyone:F /t /c /l
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3456
      • C:\Windows\SYSTEM32\taskkill.exe
        taskkill /F /T /IM LsaIso.exe
        2⤵
        • Kills process with taskkill
        PID:3408
      • C:\Windows\SYSTEM32\taskkill.exe
        taskkill /F /T /IM svchost.exe
        2⤵
        • Kills process with taskkill
        PID:1248

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1676-0-0x00007FF7F3E60000-0x00007FF7F3E91000-memory.dmp

      Filesize

      196KB

      Download