70b34fd39a8536035490ba2000aba26d8a4bf416275a8091a962770477026f3d

Analysis

max time kernel
136s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

filedata.exe
Size

2.1MB
MD5

423f082b5b9913c8eb66528cbfe03e70
SHA1

128618d7ffcb7095fc9ffcbf4902b1b9a860414e
SHA256

2bc5752399db4ee085ddf335ddfbe9bda91d824fd5294462a450a61229161926
SHA512

5c1d4d49fbd5921ab226772fa5cdf9d507d5623c2f73499f3f16a484a330b80d5b512e4a30fe0bf82cc3c488fb22b3baff96fd0d776506f7680cc65f33487600
SSDEEP

49152:ZOg7YJ+1SJxeN4A4D6rH8VK9I8FXkDa9WT:X76JxeNpcc3jkD9

Score

10^/10

bootkit persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2428	powershell.exe	31

Deletes itself 1 IoCs

pid	Process
2096	cmd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2656	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2096	1796	filedata.exe	34
PID 1796 wrote to memory of 2096	1796	filedata.exe	34
PID 1796 wrote to memory of 2096	1796	filedata.exe	34
PID 2096 wrote to memory of 2656	2096	cmd.exe	36
PID 2096 wrote to memory of 2656	2096	cmd.exe	36
PID 2096 wrote to memory of 2656	2096	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\filedata.exe
"C:\Users\Admin\AppData\Local\Temp\filedata.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\cmd.exe
  cmd.exe /c systeminfo > NUL && del "C:\Users\Admin\AppData\Local\Temp\filedata.exe" > NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -C $env:psldr|iex|iex
1⤵
- Process spawned unexpected child process
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin:737B1129

Filesize
157B

MD5
aa113e72ed1266ef948fc68efa0565de

SHA1
b3b60c74586ecfa163f4c08633a3bfde132c9a02

SHA256
62198e98b417aa27d2bee2ae9d7e07538f5bec61f8dbb09810cee9c9db623de8

SHA512
c4a032ac350cdfeb266165d80dc2393c098d00c3e21bc99f1adb4370f7f25f44a7a38138318abc95465d6c9dd87974c4394fd1cd2c3540ba394fee1f1247183f

Download Submit
memory/1904-72-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-12-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-56-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-9-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download
memory/1904-8-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download
memory/1904-10-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download
memory/1904-14-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-64-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-11-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-16-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-46-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-58-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-66-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-62-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-69-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-71-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-18-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-28-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-74-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-4-0x000007FEF5CCE000-0x000007FEF5CCF000-memory.dmp

Filesize
4KB

Download
memory/1904-60-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-5-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1904-7-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download
memory/1904-54-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-52-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-50-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-48-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-44-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-42-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-40-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-38-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-36-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-34-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-32-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-30-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-26-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-25-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-22-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-20-0x000000001CA00000-0x000000001CC19000-memory.dmp

Filesize
2.1MB

Download
memory/1904-1657-0x000007FEF5CCE000-0x000007FEF5CCF000-memory.dmp

Filesize
4KB

Download
memory/1904-6-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1904-1689-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download