Overview

overview

8

Static

static

5

feceab91f4...64.exe

windows7-x64

8

feceab91f4...64.exe

windows10-2004-x64

Analysis

  • max time kernel
    0s
  • max time network
    9s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 06:01

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    feceab91f4a082684f7224426335f37340d38ff8e7b32e0408df186728b8bb64.exe

  • Size

    50KB

  • MD5

    355c2f89e67e95ad1b458519980a47eb

  • SHA1

    395f5de2c542f7e81b9a5b218f1bbbbbb6d6f835

  • SHA256

    feceab91f4a082684f7224426335f37340d38ff8e7b32e0408df186728b8bb64

  • SHA512

    c22dc9892b7dbd7a3b1c4931a42c921ee76484574951408a6a898f18d0cd911af5db9f1f79efb991ecd8b48d18c5dbd84c21f96ac6a61c9f4cf0984f09c3f234

  • SSDEEP

    1536:985VEH2aNU2o5DX776Nc8mSsQWUYXtJW:9sE2aNU2WDX7+NEUr

Score
8/10
bootkitdiscoveryexploitpersistenceupx

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\feceab91f4a082684f7224426335f37340d38ff8e7b32e0408df186728b8bb64.exe
    "C:\Users\Admin\AppData\Local\Temp\feceab91f4a082684f7224426335f37340d38ff8e7b32e0408df186728b8bb64.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Windows\SYSTEM32\manage-bde.exe
      manage-bde -on C: -EncryptionMethod AES-256
      2⤵
        PID:3132
      • C:\Windows\SYSTEM32\takeown.exe
        takeown /f D:\ /r /d Y
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:748
      • C:\Windows\SYSTEM32\icacls.exe
        icacls D:\ /grant Everyone:F /t /c /l
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3872
      • C:\Windows\SYSTEM32\takeown.exe
        takeown /f C:\ /r /d Y
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1492
      • C:\Windows\SYSTEM32\icacls.exe
        icacls C:\ /grant Everyone:F /t /c /l
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1316
      • C:\Windows\SYSTEM32\taskkill.exe
        taskkill /F /T /IM LsaIso.exe
        2⤵
        • Kills process with taskkill
        PID:3972
      • C:\Windows\SYSTEM32\taskkill.exe
        taskkill /F /T /IM svchost.exe
        2⤵
        • Kills process with taskkill
        PID:4044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3136-0-0x00007FF6015B0000-0x00007FF6015E1000-memory.dmp

      Filesize

      196KB

      Download