a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20

General

Target

a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
Size

599KB
MD5

08862211cb28cc9f8cb03041644ddfa4
SHA1

6a72a8315147fdaf9eefbd60c83833de060f1aba
SHA256

a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20
SHA512

063bd36a79d2bdb2a95963bf3ce03591b779220682095e5edad469a11bf1bd4599d0533161a062eaa8bff10a0266c1da53c4637e32d61c5d8aa97a5a5381c03e

Score

9^/10

bootkit persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe

description ioc process

File opened for modification \??\physicaldrive0 a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe

pid	process
1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exea436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exea436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe

pid	process
1816	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1816	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1816	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1816	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1132	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1132	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1132	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
1132	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exea436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1816 wrote to memory of 1396	1816	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
PID 1816 wrote to memory of 1396	1816	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
PID 1816 wrote to memory of 1396	1816	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
PID 1816 wrote to memory of 1396	1816	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
PID 1396 wrote to memory of 1704	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 1704	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 1704	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 1704	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 1872	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 1872	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 1872	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 1872	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 644	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 644	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 644	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 1396 wrote to memory of 644	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	net.exe
PID 644 wrote to memory of 1916	644	net.exe	net1.exe
PID 644 wrote to memory of 1916	644	net.exe	net1.exe
PID 644 wrote to memory of 1916	644	net.exe	net1.exe
PID 644 wrote to memory of 1916	644	net.exe	net1.exe
PID 1704 wrote to memory of 1460	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1460	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1460	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1460	1704	net.exe	net1.exe
PID 1872 wrote to memory of 1528	1872	net.exe	net1.exe
PID 1872 wrote to memory of 1528	1872	net.exe	net1.exe
PID 1872 wrote to memory of 1528	1872	net.exe	net1.exe
PID 1872 wrote to memory of 1528	1872	net.exe	net1.exe
PID 1396 wrote to memory of 1132	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
PID 1396 wrote to memory of 1132	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
PID 1396 wrote to memory of 1132	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
PID 1396 wrote to memory of 1132	1396	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe	a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe

C:\Users\Admin\AppData\Local\Temp\a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
"C:\Users\Admin\AppData\Local\Temp\a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
"C:\Users\Admin\AppData\Local\Temp\a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\net.exe
net.exe user Admin
3⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin
4⤵
PID:1460

C:\Windows\SysWOW64\net.exe
net.exe user qq2239823310 /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user qq2239823310 /add
4⤵
PID:1528

C:\Windows\SysWOW64\net.exe
net.exe localgroup administrators qq2239823310/add
3⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators qq2239823310/add
4⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe
"C:\Users\Admin\AppData\Local\Temp\a436f01d3d5abb2d63d9ec5463c0c083546b939036e71163d2aba510958f8f20.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.ini
Filesize
10B

MD5
568f3f4163773733e3e36e8a29cf0029

SHA1
ba0c7b47b8fc337926db519c567d9ccfa58a843c

SHA256
410fee16714cf6db0624a3a9a4e73de4bc18cae5ca7e5d9acf0e9e44aa4133e2

SHA512
a344b1ee712fff920cc4d29959c59b091b138a5e6d8695d1d6bbbc82e188e25a86d97bfbb1c63c235eaffd14af2eefe88c3123d95b6c1e807a5da30733cf59ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.ini
Filesize
10B

MD5
568f3f4163773733e3e36e8a29cf0029

SHA1
ba0c7b47b8fc337926db519c567d9ccfa58a843c

SHA256
410fee16714cf6db0624a3a9a4e73de4bc18cae5ca7e5d9acf0e9e44aa4133e2

SHA512
a344b1ee712fff920cc4d29959c59b091b138a5e6d8695d1d6bbbc82e188e25a86d97bfbb1c63c235eaffd14af2eefe88c3123d95b6c1e807a5da30733cf59ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExtraDll.dll
Filesize
199KB

MD5
2bda137da275d8e4b98c32b5a7725334

SHA1
4c39e68338f286d791cb054af5a16b80fb102af9

SHA256
50015d445f3156f3ddde43da651b15a310f6d85a23ee5bdf95c908130ac035b4

SHA512
ef68c17b18cfabea6ae454bbf066e57c0181d9250f4d4e5b88c2492ec32a1e7173ecdcc678ed120e1ef58f552ec19d14ace75c15c0c3605031b8144a4bba0c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExtraDll.dll
Filesize
199KB

MD5
2bda137da275d8e4b98c32b5a7725334

SHA1
4c39e68338f286d791cb054af5a16b80fb102af9

SHA256
50015d445f3156f3ddde43da651b15a310f6d85a23ee5bdf95c908130ac035b4

SHA512
ef68c17b18cfabea6ae454bbf066e57c0181d9250f4d4e5b88c2492ec32a1e7173ecdcc678ed120e1ef58f552ec19d14ace75c15c0c3605031b8144a4bba0c45

Download Submit
memory/644-61-0x0000000000000000-mapping.dmp

Download
memory/1132-65-0x0000000000000000-mapping.dmp

Download
memory/1396-55-0x0000000000000000-mapping.dmp

Download
memory/1460-63-0x0000000000000000-mapping.dmp

Download
memory/1528-64-0x0000000000000000-mapping.dmp

Download
memory/1704-59-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/1872-60-0x0000000000000000-mapping.dmp

Download
memory/1916-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads