c7632a1bbe82c3d2ae9146a0289bc2080d03878dd89fd1d9e9503a9e57af43c4

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1792EL4.4?/ElementsEditor.exe
Size

1.0MB
MD5

0ddb19bd95ae8a7aca1ad5a94e7ffcad
SHA1

1f45083609a8c4aab77a45ba27062649f5991e33
SHA256

f7ee4e1d2cdcae4ea22583854d9fa2cad072741f487cd3f7b547c598caaf66f1
SHA512

aa27d80b9f1bd2d77877ec6d5caf9092cf5d1874347246308948b6095e2522edf744656005554d79485dc87da17246f8f0c4d9df8ca3ced5bd69ce99ac62cb8c
SSDEEP

24576:vbYw5NquEjJoFT39qBKQgn6QrraispwqZJGFiWdM:h5kuE2x39q8N/rraRbY

Score

7^/10

bootkit persistence vmprotect

Malware Config

Signatures

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4032-0-0x0000000000400000-0x0000000000614000-memory.dmp	vmprotect
behavioral2/memory/4032-2-0x0000000000400000-0x0000000000614000-memory.dmp	vmprotect
behavioral2/memory/4032-4-0x0000000000400000-0x0000000000614000-memory.dmp	vmprotect
behavioral2/memory/4032-1389-0x00000000711C0000-0x0000000071779000-memory.dmp	vmprotect
behavioral2/memory/4032-1402-0x00000000711C0000-0x0000000071779000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

ElementsEditor.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ElementsEditor.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ElementsEditor.exe

pid process

4032 ElementsEditor.exe
4032 ElementsEditor.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ElementsEditor.exe

description pid process

Token: SeDebugPrivilege 4032 ElementsEditor.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ElementsEditor.exe

pid	process
4032	ElementsEditor.exe
4032	ElementsEditor.exe

description	pid	process
Token: SeDebugPrivilege	4032	ElementsEditor.exe

C:\Users\Admin\AppData\Local\Temp\1792EL4.4_\ElementsEditor.exe
"C:\Users\Admin\AppData\Local\Temp\1792EL4.4_\ElementsEditor.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4032-0-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4032-2-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4032-3-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download
memory/4032-4-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4032-5-0x00000000050A0000-0x0000000005118000-memory.dmp

Filesize
480KB

Download
memory/4032-6-0x00000000051E0000-0x0000000005258000-memory.dmp

Filesize
480KB

Download
memory/4032-64-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-68-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-66-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-60-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-58-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-54-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-52-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-50-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-48-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-46-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-42-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-40-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-38-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-36-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-32-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-30-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-28-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-26-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-24-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-22-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-18-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-14-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-12-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-10-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-8-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-62-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-56-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-44-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-34-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-20-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-16-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-7-0x00000000051E0000-0x0000000005251000-memory.dmp

Filesize
452KB

Download
memory/4032-1385-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/4032-1386-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/4032-1387-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/4032-1388-0x00000000059D0000-0x00000000059EF000-memory.dmp

Filesize
124KB

Download
memory/4032-1389-0x00000000711C0000-0x0000000071779000-memory.dmp

Filesize
5.7MB

Download
memory/4032-1393-0x0000000006510000-0x0000000006B28000-memory.dmp

Filesize
6.1MB

Download
memory/4032-1394-0x0000000006DC0000-0x0000000006DD2000-memory.dmp

Filesize
72KB

Download
memory/4032-1395-0x00000000072E0000-0x00000000073EA000-memory.dmp

Filesize
1.0MB

Download
memory/4032-1396-0x0000000006E40000-0x0000000006E7C000-memory.dmp

Filesize
240KB

Download
memory/4032-1397-0x0000000006E90000-0x0000000006EDC000-memory.dmp

Filesize
304KB

Download
memory/4032-1398-0x0000000008EA0000-0x0000000008EC4000-memory.dmp

Filesize
144KB

Download
memory/4032-1399-0x0000000008FB0000-0x0000000009000000-memory.dmp

Filesize
320KB

Download
memory/4032-1402-0x00000000711C0000-0x0000000071779000-memory.dmp

Filesize
5.7MB

Download