f7f624d237f1d81858259c1783be9c7a605fe260b22092af064bc91035010fef | Triage

Submit
Reports

Overview

overview

8

Static

static

3

Holzer.exe

windows11-21h2-x64

Sharing

General

Target

Holzer.zip
Size

50KB
Sample

250402-t17s1sspz9
MD5

46c66dccda54ac15c941e7589a5da5ca
SHA1

49a4f3b61753f261fc5f3e7d69f599ac0a5e083e
SHA256

f7f624d237f1d81858259c1783be9c7a605fe260b22092af064bc91035010fef
SHA512

c4c96aebf3d0de7127e3e45c5670323781ed8ae4bc0413c6b35cb2f5e9ee8ccaf84d5dbf655b384a1cec4b8d8fcbe5970c43e79bad76cf9a17ada1b3717c57a2
SSDEEP

1536:5dlKxgjOc91+xkuSL7/jVqFqGBh8tCxFngg/:PlJjOc9WkuoQtF1gg/

Score

8^/10

bootkit defense_evasion discovery exploit persistence privilege_escalation

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Holzer.exe

Resource

win11-20250313-en

bootkit defense_evasion discovery exploit persistence privilege_escalation

windows11-21h2-x64

37 signatures

300 seconds

Malware Config

Targets

- Target
  
  Holzer.exe
- Size
  
  135KB
- MD5
  
  c971c68b4e58ccc82802b21ae8488bc7
- SHA1
  
  7305f3a0a0a0d489e0bcf664353289f61556de77
- SHA256
  
  cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce
- SHA512
  
  ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7
- SSDEEP
  
  3072:2EYGNIaWY/0kTKxIJXtJ0YCHiQtSetFITTTTTHvvvvvNKB:HN5TKvr9PuKB
Score

8^/10

bootkit defense_evasion discovery exploit persistence privilege_escalation
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Possible privilege escalation attempt
  exploit
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Event Triggered Execution

Accessibility Features

Power Settings

Pre-OS Boot

Bootkit

Privilege Escalation

Access Token Manipulation

Create Process with Token

Event Triggered Execution

Accessibility Features

Defense Evasion

Access Token Manipulation

Create Process with Token

File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitdefense_evasiondiscoveryexploitpersistenceprivilege_escalation

© 2018-2025

Terms | Privacy