70b34fd39a8536035490ba2000aba26d8a4bf416275a8091a962770477026f3d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

filedata.exe
Size

2.7MB
MD5

d921d26cebc3bedad6419ef4298cd3e1
SHA1

973e0d3e6af8596f67e1a93b29122eea8af38108
SHA256

158e7d6361ca30df80d5edc5de38f5852961ad49dcc4e024f2ed8a00662c1792
SHA512

81cc4b95c081c1fefa63542d2583aa3f1820f66cd137fa4486d23601801712b3d1d4b1d9cdec7c8391ba0c5e2177778c987c2547faa95802cab1fccfe33741f3
SSDEEP

49152:nL2mxSw1wKb1ryOKQSg+o5Ru4rUjd/H8P3JiltNreKClt:Lnhb12Y5AD9cBuc

Score

10^/10

bootkit persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	896	powershell.exe	83

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	powershell.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3572	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2836	2060	powershell.exe	86
PID 2060 wrote to memory of 2836	2060	powershell.exe	86
PID 2836 wrote to memory of 3424	2836	csc.exe	87
PID 2836 wrote to memory of 3424	2836	csc.exe	87
PID 5088 wrote to memory of 116	5088	filedata.exe	88
PID 5088 wrote to memory of 116	5088	filedata.exe	88
PID 116 wrote to memory of 3572	116	cmd.exe	90
PID 116 wrote to memory of 3572	116	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\filedata.exe
"C:\Users\Admin\AppData\Local\Temp\filedata.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c systeminfo > NUL && del "C:\Users\Admin\AppData\Local\Temp\filedata.exe" > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:3572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -C $env:psldr|iex|iex
1⤵
- Process spawned unexpected child process
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s1hhpt30\s1hhpt30.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93E3.tmp" "c:\Users\Admin\AppData\Local\Temp\s1hhpt30\CSC18AA7044536C4033AD45B783D5141AE6.TMP"
    3⤵
    PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin:80629AFF

Filesize
157B

MD5
3f4352b0464a7b536108d153f919f052

SHA1
d6e9522d0b85b0f9f7a878c22dfb4378b31bdd08

SHA256
8b2a48d78ee909fe7a4f640fc6f7d57568a27fd48a5e01b60e16cc91d7ff2157

SHA512
ec9e5c93d86130ff1dec01c27c92cd7176de8cc8fafa938002578f3257ecfa99b374e8d338bf5d3fd2789c603b7421facfcd2b0a457154d0ea6dd012103f9dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES93E3.tmp

Filesize
1KB

MD5
89667dc095bf034494940f23bf1d05c9

SHA1
fbdf5b4d731690c600533dc48457f879dfc1e5b2

SHA256
a3bc651eab735e1487b6343b1b490240e14182ea0969ae7ff3ec8537040560c4

SHA512
60e87654cb560de712b46eedb622b185087c76b1bc510c869aa5399c774933fb39a5578798522c8ad1de49578249759e8ff8b0b01f0dbc14e82e550197f579c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD0FC.tmp

Filesize
1KB

MD5
1c0de7104fe6ffcaf89444912faa75a9

SHA1
10d58ea89a6d4420099c8928e44e3fa8e381020e

SHA256
49bbd3be817130f22a51b79ba89ebb5fbc21d87395116e8c57aac3540bc51089

SHA512
8cea631c5f05bed39b1921ed86312e44b056c78e7519285aa88533dcd17a2013eb160de3f1b9e9f2720bd64654c5bdc91c7fafe20c51aee530c160a0ec5e4a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD0FD.tmp

Filesize
1KB

MD5
57849d3bf047ea098cebb370c2ba4a0b

SHA1
1b671081b5ab2b360f92f857a9a60f46853ecf0c

SHA256
ded51c21adb2b1b1874260d70d0c915522a0c63b16527bd4ca096883e00be98e

SHA512
f8cc6b5e8243d9576a8cbf61347948c390fb47b3feab796d13960a8c6ffb81fdfdfdeb36e03d47fca192b2cac20cc46b58932b58541789d581bb85820f1bb41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfj0lhf2.vak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1hhpt30\s1hhpt30.dll

Filesize
3KB

MD5
e154520a164ea40d2843897b8e12475b

SHA1
d7e2f32d1f673f56d79c8e95d379de9e9f1e3a05

SHA256
d37f629ed78f0fee952ed0192cc60ec67870d94e86e2fb886246c96c74026f17

SHA512
d17e0e30ccf99a9cd93d40ff01ba525bc6ea4070873353df6e19d702a8f232b4a13f8cb2c445c7b9f29b6eb4fc8bbf24144341b0250fb7fde0256a4a748824e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s1hhpt30\CSC18AA7044536C4033AD45B783D5141AE6.TMP

Filesize
652B

MD5
bfca91ffdcccc702c173b03b9a101206

SHA1
18d39b0725b43228f5b8012878cd9a790d9fb248

SHA256
e60e80b29390f68a23747d1cef0bebc218158276bee3c94a680c82ca02c6bfa6

SHA512
ceca236b7b01f2a4f1f9e0735b5886fef94e534ef390e568e88b922d8641187f8f4d23c33a29f54139110023958fbd66e3703120ecb95f6af9283878a409b3ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s1hhpt30\s1hhpt30.0.cs

Filesize
351B

MD5
0e1eac9a35650388f1cdf1b91afa8699

SHA1
63ea396ae64f9fa69870d56817cbda761ff02d2b

SHA256
83c72dd5fd98a2c1f88ff729560ef3234e6b97df8ee43339a7e8dbd777f0ccd6

SHA512
5695828554596948467437af0a06ef0cc5e32b4ebcf29924e043f3c36f1fa88d6a42da14521057325eb1ab64e2f9003036590cabdfb9c821cdd053eef83bd655

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s1hhpt30\s1hhpt30.cmdline

Filesize
369B

MD5
050dba17f3d79e1ef97f4c7ab586dbe4

SHA1
cbac95d694e11ca97eb5e853a2bd2c14f06e01b5

SHA256
d07b0e8aad1b2873c387cacde7bfbd4d71a269615d7b78541aa3485012bfdbdb

SHA512
d5c04eabdb6c2d2c8f874d1d95d4fc22307df726eb755ecd65391c2c6d3a626a808093acd32ed930d13bd638c2ff128396b70927ea67aa023bb44bbac0a79958

Download Submit
memory/2060-84-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-72-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-27-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2060-28-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2060-29-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-30-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-32-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-36-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-40-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-46-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-58-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-68-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-74-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-92-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-90-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-88-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-86-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-12-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2060-82-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-80-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-78-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-25-0x000001B3C53B0000-0x000001B3C53B8000-memory.dmp

Filesize
32KB

Download
memory/2060-70-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-66-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-64-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-62-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-60-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-76-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-56-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-54-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-52-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-50-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-48-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-44-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-42-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-38-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-34-0x000001B3C58A0000-0x000001B3C5B62000-memory.dmp

Filesize
2.8MB

Download
memory/2060-966-0x00007FFCFD083000-0x00007FFCFD085000-memory.dmp

Filesize
8KB

Download
memory/2060-1258-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2060-1798-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2060-1799-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2060-11-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/2060-6-0x000001B3C53C0000-0x000001B3C53E2000-memory.dmp

Filesize
136KB

Download
memory/2060-0-0x00007FFCFD083000-0x00007FFCFD085000-memory.dmp

Filesize
8KB

Download