6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416 | Triage

Analysis

max time kernel
128s
max time network
148s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 22:57

Sharing

Report Analysis Logs

General

Target

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Size

11.7MB
MD5

18b14674866c89c770a7f8cafcd9d77a
SHA1

bb4c7f84f81d926be1c0819b59ae9ec891b1989a
SHA256

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416
SHA512

a05017b19da903cdbb0a2ce6fa238a43853d75db426e14cc4f8d26cdbe3e541a37e4236900cb9cd2f8eb416ba13d93f26fdbcc01e7f66fa8306551ffe71841ba

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

bcdedit.exeo.exe

pid process

112 bcdedit.exe
1812 o.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

1036 cmd.exe
1540 cmd.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exeo.exe

description	ioc	process
File opened (read-only)	\??\Z:	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
File opened (read-only)	\??\D:	o.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

o.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	o.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	o.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

o.exe

description ioc process

File opened for modification \??\PhysicalDrive0 o.exe
Drops file in Windows directory 1 IoCs

Processes:

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

description ioc process

File created C:\Windows\v.cfg 6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

description	pid	process
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: 33	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
Token: SeIncBasePriorityPrivilege	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

pid	process
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

pid	process
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

pid	process
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.execmd.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 1036	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe	cmd.exe
PID 1968 wrote to memory of 1036	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe	cmd.exe
PID 1968 wrote to memory of 1036	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe	cmd.exe
PID 1968 wrote to memory of 1036	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe	cmd.exe
PID 1036 wrote to memory of 112	1036	cmd.exe	bcdedit.exe
PID 1036 wrote to memory of 112	1036	cmd.exe	bcdedit.exe
PID 1036 wrote to memory of 112	1036	cmd.exe	bcdedit.exe
PID 1036 wrote to memory of 112	1036	cmd.exe	bcdedit.exe
PID 1968 wrote to memory of 1540	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe	cmd.exe
PID 1968 wrote to memory of 1540	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe	cmd.exe
PID 1968 wrote to memory of 1540	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe	cmd.exe
PID 1968 wrote to memory of 1540	1968	6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe	cmd.exe
PID 1540 wrote to memory of 1812	1540	cmd.exe	o.exe
PID 1540 wrote to memory of 1812	1540	cmd.exe	o.exe
PID 1540 wrote to memory of 1812	1540	cmd.exe	o.exe
PID 1540 wrote to memory of 1812	1540	cmd.exe	o.exe

C:\Users\Admin\AppData\Local\Temp\6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe
"C:\Users\Admin\AppData\Local\Temp\6abfc85669dabf5e11683ca90144bb25fe7bcb28742ae2c8020814d3a467b416.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c bcdedit
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\bcdedit.exe
bcdedit
3⤵
- Executes dropped EXE
PID:112

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c o info
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\o.exe
o info
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
PID:1812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bcdedit.exe
Filesize
359KB

MD5
f812d591a7b7a5f15141e891a95ba4bb

SHA1
8c04bbae962a561cbba0353b8e86e877ca45bb68

SHA256
6cc9858b49578c8a98b8926563f1c7d82641277bd7e3d1ad2fcadfa0ca1422a7

SHA512
f5de84398c2cf2a2bc168eb6c9a773c647bf2dad169a131bb0f8b54ac058b037daa0de5355e47384ad5c15c69822897a55f9d4c8da2b8480212fe5b068baa2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\o.exe
Filesize
2.3MB

MD5
70b6a76178479d237a2c23b86d6c06d9

SHA1
3bfd492082e3958a1038685ad9e17800510e94e1

SHA256
ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7

SHA512
596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\o.exe
Filesize
2.3MB

MD5
70b6a76178479d237a2c23b86d6c06d9

SHA1
3bfd492082e3958a1038685ad9e17800510e94e1

SHA256
ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7

SHA512
596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd

Download Submit
\Users\Admin\AppData\Local\Temp\bcdedit.exe
Filesize
359KB

MD5
f812d591a7b7a5f15141e891a95ba4bb

SHA1
8c04bbae962a561cbba0353b8e86e877ca45bb68

SHA256
6cc9858b49578c8a98b8926563f1c7d82641277bd7e3d1ad2fcadfa0ca1422a7

SHA512
f5de84398c2cf2a2bc168eb6c9a773c647bf2dad169a131bb0f8b54ac058b037daa0de5355e47384ad5c15c69822897a55f9d4c8da2b8480212fe5b068baa2ad

Download Submit
\Users\Admin\AppData\Local\Temp\o.exe
Filesize
2.3MB

MD5
70b6a76178479d237a2c23b86d6c06d9

SHA1
3bfd492082e3958a1038685ad9e17800510e94e1

SHA256
ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7

SHA512
596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd

Download Submit
memory/112-57-0x0000000000000000-mapping.dmp

Download
memory/1036-55-0x0000000000000000-mapping.dmp

Download
memory/1540-61-0x0000000000000000-mapping.dmp

Download
memory/1812-64-0x0000000000000000-mapping.dmp

Download
memory/1968-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1968-59-0x0000000010024000-0x0000000010031000-memory.dmp

Filesize
52KB

Download
memory/1968-60-0x0000000008580000-0x00000000087A2000-memory.dmp

Filesize
2.1MB

Download