91697fa6d5e1a59f0c71e7ae0f2a8928879a8522901153708d09bfe430bfa7cb

Reason

Machine shutdown

General

Target

02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe
Size

54KB
MD5

cdb6e431b4eeb2909b1cf198f70ae444
SHA1

98205803babd17587e99913934eb6975c3dc8779
SHA256

02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df
SHA512

c24c5b4c3d1b9355db8e82aa3c1c228e12b107c2f2ad76ac5e1ec62dda516cbe2237b1839547ff80e9059a3f2debc1cf07daf30dc3dad2b579aa4eddb9ba33a0

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	EyeCry.exe

Loads dropped DLL 1 IoCs

pid	Process
288	02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	EyeCry.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1192	shutdown.exe
Token: SeRemoteShutdownPrivilege	1192	shutdown.exe
Token: SeShutdownPrivilege	1468	shutdown.exe
Token: SeRemoteShutdownPrivilege	1468	shutdown.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 2028	288	02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe	26
PID 288 wrote to memory of 2028	288	02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe	26
PID 288 wrote to memory of 2028	288	02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe	26
PID 288 wrote to memory of 2028	288	02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe	26
PID 2028 wrote to memory of 1192	2028	EyeCry.exe	27
PID 2028 wrote to memory of 1192	2028	EyeCry.exe	27
PID 2028 wrote to memory of 1192	2028	EyeCry.exe	27
PID 2028 wrote to memory of 1192	2028	EyeCry.exe	27
PID 2028 wrote to memory of 1468	2028	EyeCry.exe	28
PID 2028 wrote to memory of 1468	2028	EyeCry.exe	28
PID 2028 wrote to memory of 1468	2028	EyeCry.exe	28
PID 2028 wrote to memory of 1468	2028	EyeCry.exe	28

C:\Users\Admin\AppData\Local\Temp\02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe
"C:\Users\Admin\AppData\Local\Temp\02ae530ebb33ee8528ac0b9061d41216d3f3d4dcd8e9b0fe7f7cd0511247b7df.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288
- C:\Users\Admin\AppData\Local\Temp\EyeCry.exe
  "C:\Users\Admin\AppData\Local\Temp\EyeCry.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown.exe -r -f -t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- - C:\Windows\SysWOW64\shutdown.exe
    C:\Windows\System32\shutdown.exe -r -f -t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1468

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-5-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1708-14-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1708-16-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors