36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258

General

Target

36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
Size

1.3MB
MD5

347a1b04c19f69c508b584586420a0bb
SHA1

c4aa2e5fc8fe3ae1929acf1031a6de11dc5559ed
SHA256

36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258
SHA512

b74e78ff57c6e09e94458697357f4efab19d63571ec8ea8d4639b3529fa4427007649a6295a3faae56bbf763a9eb0306e0cd67cb6eea04b67361598a62db7a20

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

downloader.exe

pid process

956 downloader.exe
Loads dropped DLL 3 IoCs

Processes:

36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exedownloader.exe

pid process

764 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
956 downloader.exe
956 downloader.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

downloader.exe

description ioc process

File opened for modification \??\PhysicalDrive0 downloader.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1244 systeminfo.exe

pid	process
956	downloader.exe

pid	process
764	36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
956	downloader.exe
956	downloader.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	downloader.exe

pid	process
1244	systeminfo.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exedownloader.execmd.exe

description	pid	process	target process
PID 764 wrote to memory of 956	764	36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe	downloader.exe
PID 764 wrote to memory of 956	764	36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe	downloader.exe
PID 764 wrote to memory of 956	764	36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe	downloader.exe
PID 764 wrote to memory of 956	764	36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe	downloader.exe
PID 764 wrote to memory of 956	764	36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe	downloader.exe
PID 764 wrote to memory of 956	764	36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe	downloader.exe
PID 764 wrote to memory of 956	764	36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe	downloader.exe
PID 956 wrote to memory of 1752	956	downloader.exe	cmd.exe
PID 956 wrote to memory of 1752	956	downloader.exe	cmd.exe
PID 956 wrote to memory of 1752	956	downloader.exe	cmd.exe
PID 956 wrote to memory of 1752	956	downloader.exe	cmd.exe
PID 956 wrote to memory of 1752	956	downloader.exe	cmd.exe
PID 956 wrote to memory of 1752	956	downloader.exe	cmd.exe
PID 956 wrote to memory of 1752	956	downloader.exe	cmd.exe
PID 1752 wrote to memory of 1244	1752	cmd.exe	systeminfo.exe
PID 1752 wrote to memory of 1244	1752	cmd.exe	systeminfo.exe
PID 1752 wrote to memory of 1244	1752	cmd.exe	systeminfo.exe
PID 1752 wrote to memory of 1244	1752	cmd.exe	systeminfo.exe
PID 1752 wrote to memory of 1244	1752	cmd.exe	systeminfo.exe
PID 1752 wrote to memory of 1244	1752	cmd.exe	systeminfo.exe
PID 1752 wrote to memory of 1244	1752	cmd.exe	systeminfo.exe
PID 1752 wrote to memory of 1736	1752	cmd.exe	findstr.exe
PID 1752 wrote to memory of 1736	1752	cmd.exe	findstr.exe
PID 1752 wrote to memory of 1736	1752	cmd.exe	findstr.exe
PID 1752 wrote to memory of 1736	1752	cmd.exe	findstr.exe
PID 1752 wrote to memory of 1736	1752	cmd.exe	findstr.exe
PID 1752 wrote to memory of 1736	1752	cmd.exe	findstr.exe
PID 1752 wrote to memory of 1736	1752	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
"C:\Users\Admin\AppData\Local\Temp\36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exe
.\downloader.exe %%S
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
/k systeminfo | findstr /c:"Model:" /c:"Host Name" /c:"OS Name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:1244

C:\Windows\SysWOW64\findstr.exe
findstr /c:"Model:" /c:"Host Name" /c:"OS Name"
4⤵
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exe
Filesize
3.1MB

MD5
ad9566beec8757fe727f268e7bd2d43d

SHA1
9fc0c813965244403b93c657f43010ffc32b16bf

SHA256
984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd

SHA512
45288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exe
Filesize
3.1MB

MD5
ad9566beec8757fe727f268e7bd2d43d

SHA1
9fc0c813965244403b93c657f43010ffc32b16bf

SHA256
984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd

SHA512
45288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef

Download Submit
\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exe
Filesize
3.1MB

MD5
ad9566beec8757fe727f268e7bd2d43d

SHA1
9fc0c813965244403b93c657f43010ffc32b16bf

SHA256
984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd

SHA512
45288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef

Download Submit
\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exe
Filesize
3.1MB

MD5
ad9566beec8757fe727f268e7bd2d43d

SHA1
9fc0c813965244403b93c657f43010ffc32b16bf

SHA256
984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd

SHA512
45288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef

Download Submit
\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exe
Filesize
3.1MB

MD5
ad9566beec8757fe727f268e7bd2d43d

SHA1
9fc0c813965244403b93c657f43010ffc32b16bf

SHA256
984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd

SHA512
45288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef

Download Submit
memory/764-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/1244-64-0x0000000000000000-mapping.dmp

Download
memory/1736-65-0x0000000000000000-mapping.dmp

Download
memory/1752-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing