01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673

General

Target

01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
Size

724KB
MD5

215b0d00078ac8228f971020fc615df2
SHA1

a477a08bb43ebf76215d7a747e43efa77f24aeea
SHA256

01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673
SHA512

8225efbe2af3f779a6064255c294d729e6efc2ae69c5edff5b522aaee4d31e53a261c88ac8457475bc3d28f89b7c9cdee11558630d503a1def2ae4a62d9d32f4

Score

6^/10

bootkit persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe

description	ioc	process
File opened (read-only)	\??\f:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\g:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\i:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\p:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\w:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\z:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\j:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\s:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\v:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\h:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\k:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\n:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\o:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\r:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\y:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\e:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\l:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\m:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\q:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\t:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\u:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
File opened (read-only)	\??\x:	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe

description ioc process

File opened for modification \??\PhysicalDrive0 01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe

C:\Users\Admin\AppData\Local\Temp\01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe
"C:\Users\Admin\AppData\Local\Temp\01a3286168b1d040318a0da75fc9f4e9532f303fc3e5492f4a7ebc88014cb673.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/664-54-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/664-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing