eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2

General

Target

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Size

3.3MB
MD5

2630e21380cd389caa9a31e5b7113ab0
SHA1

67dd9f56bb740893b075afcf6572d645e2e31c8d
SHA256

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2
SHA512

68cc1da89814aa666dab9f57b6414ad2bc3e75659886b9718e2261d6098aa109dbe7a2809956497da11fffe305943511a13e27b96bd364719d4469a04f10ea84

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

564 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1740 taskkill.exe

pid	process
564	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

pid	process
1740	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe = "11001"	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1940 PING.EXE
1280 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1740 taskkill.exe

pid	process
1940	PING.EXE
1280	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1740	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

pid	process
1952	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
1952	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.execmd.exe

description	pid	process	target process
PID 1952 wrote to memory of 564	1952	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 1952 wrote to memory of 564	1952	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 1952 wrote to memory of 564	1952	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 1952 wrote to memory of 564	1952	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 1952 wrote to memory of 564	1952	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 1952 wrote to memory of 564	1952	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 1952 wrote to memory of 564	1952	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 564 wrote to memory of 1740	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1740	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1740	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1740	564	cmd.exe	taskkill.exe
PID 564 wrote to memory of 1940	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1940	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1940	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1940	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1280	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1280	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1280	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1280	564	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
"C:\Users\Admin\AppData\Local\Temp\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\taskkill.exe
taskkill /PID 1952 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2 -l 1
3⤵
- Runs ping.exe
PID:1940

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2 -l 1
3⤵
- Runs ping.exe
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat
Filesize
640B

MD5
c73fae63658c07ba294bdaa360fa86d0

SHA1
a4db595ea58e203854b8f1a2a37ef739945a71f5

SHA256
b88d3c3343370af0f3b518dca6531d8d98e233ef8631b0493ae1da798d900170

SHA512
b34af77d06e32004d5d0e7bae3ba81698a61a384547539e3652fe60c8e41f5182a54ffef96355e1133ec52dcf87947f0696700695e633ca52c1b31d6fa9dbe07

Download Submit
memory/564-55-0x0000000000000000-mapping.dmp

Download
memory/1280-59-0x0000000000000000-mapping.dmp

Download
memory/1740-57-0x0000000000000000-mapping.dmp

Download
memory/1940-58-0x0000000000000000-mapping.dmp

Download
memory/1952-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads