afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68

General

Target

sasas.bin.exe
Size

5.7MB
MD5

14e0a802b64a6ce08f1ee408655257e4
SHA1

5c7b10241c27005b804119be34b18d9ae38c2d39
SHA256

afab912c41c920c867f1b2ada34114b22dcc9c5f3666edbfc4e9936c29a17a68
SHA512

a885622588a200097f5bd8e22ccf96d370ceb53883e4b680fcbd19a1d38a1ed81558f40fce7941e95da708508a842b75a58937e1d7d10c4e0f0d8ad50e82086c

Score

6^/10

bootkit persistence

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

Processes:

sasas.bin.exe

description ioc process

File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini sasas.bin.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

sasas.bin.exe

description ioc process

File opened (read-only) \??\E: sasas.bin.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

sasas.bin.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 sasas.bin.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

sasas.bin.exe

pid process

1696 sasas.bin.exe

description	ioc	process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	sasas.bin.exe

description	ioc	process
File opened (read-only)	\??\E:	sasas.bin.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	sasas.bin.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

sasas.bin.exe

pid	process
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe
1696	sasas.bin.exe

C:\Users\Admin\AppData\Local\Temp\sasas.bin.exe
"C:\Users\Admin\AppData\Local\Temp\sasas.bin.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1696

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-0-0x00000000034D0000-0x00000000034E1000-memory.dmp

Filesize
68KB

Download
memory/1696-1-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-5-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-2-0x00000000034D0000-0x00000000034E1000-memory.dmp

Filesize
68KB

Download
memory/1696-9-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-15-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-13-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-19-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-23-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-31-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-39-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-35-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-33-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-27-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-43-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-45-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-53-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-61-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-69-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-75-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-83-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-89-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-97-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/1696-103-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing