c6f683d875c4d7b463750391aa68524d517400900da8317069de4f7ac6a703b0

General

Target

tmp.exe
Size

1.3MB
MD5

756e9a919f3263313d2aa615fa2c4e07
SHA1

ab4587aaeebe307416adf32ca542d4ee61465ca1
SHA256

c6f683d875c4d7b463750391aa68524d517400900da8317069de4f7ac6a703b0
SHA512

3a3896b833bdcb084a1a0c0d9777ebb0b7cd34fe6b89ef1c17f37ace011b26e972d4132edc1b48f91abbc3d3892db4616fd788f8434b0ffa921ceb4664bd4881

Score

6^/10

bootkit persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
File opened (read-only)	\??\m:	tmp.exe
File opened (read-only)	\??\n:	tmp.exe
File opened (read-only)	\??\q:	tmp.exe
File opened (read-only)	\??\s:	tmp.exe
File opened (read-only)	\??\x:	tmp.exe
File opened (read-only)	\??\y:	tmp.exe
File opened (read-only)	\??\a:	tmp.exe
File opened (read-only)	\??\i:	tmp.exe
File opened (read-only)	\??\p:	tmp.exe
File opened (read-only)	\??\r:	tmp.exe
File opened (read-only)	\??\v:	tmp.exe
File opened (read-only)	\??\w:	tmp.exe
File opened (read-only)	\??\z:	tmp.exe
File opened (read-only)	\??\e:	tmp.exe
File opened (read-only)	\??\f:	tmp.exe
File opened (read-only)	\??\h:	tmp.exe
File opened (read-only)	\??\t:	tmp.exe
File opened (read-only)	\??\u:	tmp.exe
File opened (read-only)	\??\o:	tmp.exe
File opened (read-only)	\??\b:	tmp.exe
File opened (read-only)	\??\g:	tmp.exe
File opened (read-only)	\??\j:	tmp.exe
File opened (read-only)	\??\k:	tmp.exe
File opened (read-only)	\??\l:	tmp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

tmp.exe

description ioc process

File opened for modification \??\PhysicalDrive0 tmp.exe
Drops file in Windows directory 1 IoCs

Processes:

tmp.exe

description ioc process

File opened for modification C:\Windows\Sws.ini tmp.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	tmp.exe

description	ioc	process
File opened for modification	C:\Windows\Sws.ini	tmp.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7028221cd26dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{408B3B71-D9C5-11EC-AD78-F6DB027C05B2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000e5e624cac7497c6f4129c9bc96e9b2fb05e31cf09fe04deb05a238fa1cae8f99000000000e8000000002000020000000c79be286a0de997a2c9e78836b91c3231eaa9e5a55ff7621ea5b4fd098acb17420000000e13ab249ad1556d332be9970015be769ebf3107eb9c4b004b581fa01ab8b373c40000000fc48471bc66b8aed2f0865ef796eb356cacca37e4c1533b1bf40b1f54046ba5474d19be8912a98ad967d4cbfd8a30bcf3fca589411439c96592be0899c77228e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000002392150b74a61f3b84021ff6a5a1c1a2866ba6443642fc3f08c5d545e9223c4f000000000e80000000020000200000007fc7d9b98a42c29700b5693e02d119a28da6a3b8852a5374430837d99c140a76900000006a756ddecb064f473feecbc6e1f7b8982338b20aa23a0707c4febe5c752f8143202936edf288cfb584dd60a18a9bbdec9f1562f3da70cbff640954f5351a5933e1bdb2b584bbe0c51ba5cabc0523c2bc18451c8c650588c2db0a9887355c997729a44e46bba653d323d2badf618575834c1816074e5e97ef7fcc42ed6d84cb8eab6881e0d1f45c4f649c3f8623493bee40000000e509a0b4a5195c56e1db3d1b59ffbddafeddd248ac9c1ae927762a346e273e09639458db78327021a12ace7e790c406cb1ed7b5935bbf0934361fa1860dc7c68	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359985151"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.exe

pid process

2000 tmp.exe
2000 tmp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

tmp.exeiexplore.exe

pid process

2000 tmp.exe
2008 iexplore.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

tmp.exe

pid process

2000 tmp.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

tmp.exeiexplore.exeIEXPLORE.EXE

pid	process
2000	tmp.exe
2000	tmp.exe
2000	tmp.exe
2000	tmp.exe
2000	tmp.exe
2000	tmp.exe
2000	tmp.exe
2008	iexplore.exe
2008	iexplore.exe
760	IEXPLORE.EXE
760	IEXPLORE.EXE
760	IEXPLORE.EXE
760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

tmp.exeiexplore.exe

description	pid	process	target process
PID 2000 wrote to memory of 2008	2000	tmp.exe	iexplore.exe
PID 2000 wrote to memory of 2008	2000	tmp.exe	iexplore.exe
PID 2000 wrote to memory of 2008	2000	tmp.exe	iexplore.exe
PID 2000 wrote to memory of 2008	2000	tmp.exe	iexplore.exe
PID 2008 wrote to memory of 760	2008	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 760	2008	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 760	2008	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 760	2008	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

\??\c:\program files\internet explorer\iexplore.exe
"c:\program files\internet explorer\iexplore.exe" http://10.127.0.117:80/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NH424Z8R.txt
Filesize
595B

MD5
eadc4fe5d421a3e34988abfcfb631406

SHA1
79b7b73aae4a0f43e368033d1f4fc15fe96fd9c9

SHA256
5a96480dd1ea3bf0eaa54c7be9a76c3e7ad93cccacfec4d3ad7e6688b4e78811

SHA512
b88296cf9bcd917eda68039866c281999e4d0a24dec3657ec3de26540919cad3a5e61fd86544cd4dabe88623351c6aa838948dbe31b984a612b41285e458abe7

Download Submit
memory/2000-54-0x0000000075221000-0x0000000075223000-memory.dmp

Filesize
8KB

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download
memory/2008-56-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/2008-57-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads