eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2

General

Target

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Size

3.3MB
MD5

2630e21380cd389caa9a31e5b7113ab0
SHA1

67dd9f56bb740893b075afcf6572d645e2e31c8d
SHA256

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2
SHA512

68cc1da89814aa666dab9f57b6414ad2bc3e75659886b9718e2261d6098aa109dbe7a2809956497da11fffe305943511a13e27b96bd364719d4469a04f10ea84

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4532 taskkill.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

pid	process
4532	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe = "11001"	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4484 PING.EXE
4436 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4532 taskkill.exe

pid	process
4484	PING.EXE
4436	PING.EXE

description	pid	process
Token: SeDebugPrivilege	4532	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

pid	process
312	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
312	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.execmd.exe

description	pid	process	target process
PID 312 wrote to memory of 3608	312	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 312 wrote to memory of 3608	312	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 312 wrote to memory of 3608	312	eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe	cmd.exe
PID 3608 wrote to memory of 4532	3608	cmd.exe	taskkill.exe
PID 3608 wrote to memory of 4532	3608	cmd.exe	taskkill.exe
PID 3608 wrote to memory of 4532	3608	cmd.exe	taskkill.exe
PID 3608 wrote to memory of 4484	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 4484	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 4484	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 4436	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 4436	3608	cmd.exe	PING.EXE
PID 3608 wrote to memory of 4436	3608	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe
"C:\Users\Admin\AppData\Local\Temp\eb63d3f8a93f6b633bf327facc16eaec23d3b7b599fa872d546396c2928eecf2.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\taskkill.exe
taskkill /PID 312 /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2 -l 1
3⤵
- Runs ping.exe
PID:4484

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2 -l 1
3⤵
- Runs ping.exe
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat
Filesize
639B

MD5
458d06d9dc263d28b2cd366400d46bbc

SHA1
2e7595dda159320928aaa3094cdeefaab5396bba

SHA256
254fb511a58dc9333311526de7e48814485a13bf831c7e13c3a84f6763d450e9

SHA512
f966a4902cdf3ea3c91943c61a5267d76974e97e61ac076d566ddaf8d66a4cdc2da194b15c8b48ef60b8d8285e7775c92d582066cc94bf03f3528570150621f5

Download Submit
memory/3608-130-0x0000000000000000-mapping.dmp

Download
memory/4436-134-0x0000000000000000-mapping.dmp

Download
memory/4484-133-0x0000000000000000-mapping.dmp

Download
memory/4532-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads