70b34fd39a8536035490ba2000aba26d8a4bf416275a8091a962770477026f3d

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

filedata.exe
Size

2.1MB
MD5

423f082b5b9913c8eb66528cbfe03e70
SHA1

128618d7ffcb7095fc9ffcbf4902b1b9a860414e
SHA256

2bc5752399db4ee085ddf335ddfbe9bda91d824fd5294462a450a61229161926
SHA512

5c1d4d49fbd5921ab226772fa5cdf9d507d5623c2f73499f3f16a484a330b80d5b512e4a30fe0bf82cc3c488fb22b3baff96fd0d776506f7680cc65f33487600
SSDEEP

49152:ZOg7YJ+1SJxeN4A4D6rH8VK9I8FXkDa9WT:X76JxeNpcc3jkD9

Score

10^/10

bootkit persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	2896	powershell.exe	83

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	powershell.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3512	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 3644	3344	powershell.exe	86
PID 3344 wrote to memory of 3644	3344	powershell.exe	86
PID 3644 wrote to memory of 1200	3644	csc.exe	87
PID 3644 wrote to memory of 1200	3644	csc.exe	87
PID 2648 wrote to memory of 2348	2648	filedata.exe	88
PID 2648 wrote to memory of 2348	2648	filedata.exe	88
PID 2348 wrote to memory of 3512	2348	cmd.exe	90
PID 2348 wrote to memory of 3512	2348	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\filedata.exe
"C:\Users\Admin\AppData\Local\Temp\filedata.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c systeminfo > NUL && del "C:\Users\Admin\AppData\Local\Temp\filedata.exe" > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -C $env:psldr|iex|iex
1⤵
- Process spawned unexpected child process
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cs5rnuqm\cs5rnuqm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB32.tmp" "c:\Users\Admin\AppData\Local\Temp\cs5rnuqm\CSC476C96B8C1F42EE8074FD7DC963FC2.TMP"
    3⤵
    PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin:AAC9F043

Filesize
157B

MD5
c9992328339fab7e9cd6d7f2e7252e7b

SHA1
5124589c74da115f60dea4f3ec91a661c60c9b7c

SHA256
670a8e6d8c15278c6ed5db3129158eb230917909c3d4fddb57140d666e267aa2

SHA512
7236e0fb2ed38f102b87554c502eb4532941ba50bab1411d1bfbff2452d1ca93783c0bc80f70db39e3c4ef43eb70d2feb36516a37ffd68b26de132c1a898e899

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB32.tmp

Filesize
1KB

MD5
0a3b570e2ee925c43f1f307e41fa7c90

SHA1
d217cc3201847df0abb8c640ce9ca7a09e889325

SHA256
798571228bae234840e6e3d6db2288e6ab35b6ad9fa8d5ce1a6e67f7955d4699

SHA512
bd34383dfde2a8628b0bfd88eae77c3beed5d76b8a8168abccccfe493956bfdcc387fadab6970aa3e61a5674e28131a621f55b1d881b8ea694d532972ae152e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpF378.tmp

Filesize
1KB

MD5
1c0de7104fe6ffcaf89444912faa75a9

SHA1
10d58ea89a6d4420099c8928e44e3fa8e381020e

SHA256
49bbd3be817130f22a51b79ba89ebb5fbc21d87395116e8c57aac3540bc51089

SHA512
8cea631c5f05bed39b1921ed86312e44b056c78e7519285aa88533dcd17a2013eb160de3f1b9e9f2720bd64654c5bdc91c7fafe20c51aee530c160a0ec5e4a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpF379.tmp

Filesize
1KB

MD5
57849d3bf047ea098cebb370c2ba4a0b

SHA1
1b671081b5ab2b360f92f857a9a60f46853ecf0c

SHA256
ded51c21adb2b1b1874260d70d0c915522a0c63b16527bd4ca096883e00be98e

SHA512
f8cc6b5e8243d9576a8cbf61347948c390fb47b3feab796d13960a8c6ffb81fdfdfdeb36e03d47fca192b2cac20cc46b58932b58541789d581bb85820f1bb41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oecqu1zx.3ur.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cs5rnuqm\cs5rnuqm.dll

Filesize
3KB

MD5
59f73d2df3353f9473f5d16cdce1dde7

SHA1
4e0da0717bd6a4d018d33bc1b0037661f0d74291

SHA256
27549bfadd272a8a35b939637c38071d810520468210ed3e045883d035c5fd6e

SHA512
487d6315bef0c09a7268128839f86b0b03256beef4b0e5ef5b46efe789e1e940459eec8f499dd0aa1bd69f4788f8ab481b735963086c71b0cc5db37afca384cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cs5rnuqm\CSC476C96B8C1F42EE8074FD7DC963FC2.TMP

Filesize
652B

MD5
a313daf408812340cbb0e7d1fc4b903b

SHA1
ad5028521f143b9d331bef5d511b4522daa8fb1b

SHA256
61256efd4eebdec87cc286b989bd988d0a85410e181f9525b1f6ea955a9aadb6

SHA512
33f2e7682b8d2656f265885c216712cf98200c77accfc1e9d9a0e456f2f6aa1e7b3f9ebe9d750b913c94f9f1310d05f806308b4fd4e2a280bc6ce985fbce755a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cs5rnuqm\cs5rnuqm.0.cs

Filesize
351B

MD5
0e1eac9a35650388f1cdf1b91afa8699

SHA1
63ea396ae64f9fa69870d56817cbda761ff02d2b

SHA256
83c72dd5fd98a2c1f88ff729560ef3234e6b97df8ee43339a7e8dbd777f0ccd6

SHA512
5695828554596948467437af0a06ef0cc5e32b4ebcf29924e043f3c36f1fa88d6a42da14521057325eb1ab64e2f9003036590cabdfb9c821cdd053eef83bd655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cs5rnuqm\cs5rnuqm.cmdline

Filesize
369B

MD5
5b34091457813b7fa440441e0af3f3f8

SHA1
4d30481c9f6feca61f7740d92bb9d7978cf8783f

SHA256
77fc26ca76599e9793de02f8bdcffc4a39cf18fda0ec3960195de373f9827d35

SHA512
e1b76905db112039c0d3bf3dcd21816c7223dada5539d91b4ff5c153b380f3acf73c5b108651730ba05e05005b1bb3df44367e6db06f5badbb0d61288f4a94c0

Download Submit
memory/3344-92-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-80-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-27-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/3344-28-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/3344-29-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-42-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-40-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-38-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-37-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-34-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-32-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-30-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-44-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-56-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-66-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-90-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-88-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-12-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/3344-86-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-84-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-82-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-25-0x0000019845C70000-0x0000019845C78000-memory.dmp

Filesize
32KB

Download
memory/3344-78-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-76-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-74-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-72-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-68-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-70-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-64-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-62-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-54-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-52-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-50-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-48-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-46-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-60-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-58-0x00000198469B0000-0x0000019846BC9000-memory.dmp

Filesize
2.1MB

Download
memory/3344-748-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/3344-1153-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/3344-1677-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/3344-11-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/3344-10-0x0000019845C30000-0x0000019845C52000-memory.dmp

Filesize
136KB

Download
memory/3344-0-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download