00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee

General

Target

00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
Size

1.9MB
MD5

4ee07fb83faff93732dbc9138222368f
SHA1

4da06c16bc29c67db43a08145def09b6ad257415
SHA256

00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee
SHA512

d36406f6bf42019fea383d53e2fc2fdc38af4de9a06dfa7bacc7c017041ff224122999ec9fde41c448d17f5b3faa95e7f7ec7c616b120b379d2ddc0bfe05fa3b

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 6 IoCs

Processes:

00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe

pid	process
1512	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
1512	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
1512	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
1512	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
1512	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
1512	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe

description ioc process

File opened for modification \??\PhysicalDrive0 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe

Modifies registry class 3 IoCs

Processes:

00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 74c67df97cb42c43b1344f376b675fcc	00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe

pid process

1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe

pid process

1512 00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe

C:\Users\Admin\AppData\Local\Temp\00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe
"C:\Users\Admin\AppData\Local\Temp\00ec950e74ca18b9c21a1a9b3bc3e0fa52f240c6b2dd44a7cffa34de8f93a1ee.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\BDMDownload.dll
Filesize
158KB

MD5
b62367fe2d02b8f47914b088a006d50c

SHA1
3743c953e48e6f3f76689423ba9c1ed25e9f86d3

SHA256
cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7

SHA512
c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb

Download Submit
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\BDMNetGetInfo.dll
Filesize
314KB

MD5
12f98be1d919784370eb0f87e78b60d8

SHA1
d07de2227b2ec68545be0adeb042af457d68f9e2

SHA256
63e34375374ae6cc695c0bc03f1f9aad67e068fc51962fd25edbf2fbeceda9f9

SHA512
ab2fcdd3eb7b58f044a855b5cae744bc1b3be599cf0d22ee93ccce2e97cb3bc1f36ea2c1ed75013c76f8c9e4071ba29710595c3a57cda2470885ee9293fc2d8d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\BDMSkin.dll
Filesize
1.3MB

MD5
39257175ac9c90199c69aea1a7bcbda0

SHA1
6cf4a8dedf37d24ce902f34fa66120a214e1a2cc

SHA256
84d5fb0a7cf1bc1e4bbd0de51d3b7eb04bb92af9a1fc3675601b382a5f11d9fc

SHA512
4a71d0ac3df53b25509205e9ed0bf781cbefa2ba6307501ae336488c8a3f7f627b8d01f861adbf47986e168abab5a06b36848f87cbcf27fe846e5f0ffc3a9f53

Download Submit
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\System.dll
Filesize
18KB

MD5
1c951bbcbc780046d6be1079a04870a4

SHA1
a5bae7d838973154e6fac69b1c5ff7d2cda01906

SHA256
d23676fbcf76355d1af68e7b32964b837243349920921b2ec74d97554809a65e

SHA512
62c3686baed2232f7d8ddc8f48a41761812b5b2a67f3a689b7a43275f077842366abc13c7e8259613bfd9df25cf467e4001337c1454aec910abce121d551e2d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\dl.dll
Filesize
1.9MB

MD5
763b532d651f0ad5e135d9b57bf4fba4

SHA1
23f1302f904a67a1fe0d48e11a435c2f36336196

SHA256
50b3c45ede6fd2d77c4f040242b2174289767b18a3a084e7046133b05f93e173

SHA512
a4ec0f5bfa30d3558935f4075a75aebf080ece324a550c573d8a424730693b030cd26b4862973e8da8937e610c287d64e96c2fd952b59324ed1822919a00737c

Download Submit
\Users\Admin\AppData\Local\Temp\nsoDC10.tmp\tmptwl2qh.dll
Filesize
2.6MB

MD5
21b8dcddef95687175b7163f7fa819e3

SHA1
ea54fb330bf335e996330d272979712ab7fd1443

SHA256
4571035b67abb5ddc9b867b8bde9bfec8aa8917bce2a9df413ecae3ea606aa1c

SHA512
2a906e65f9f6ddef3b59c6f199c8bf9d72a14878f6927253a65e0915cefa384fdbf5bc43462f19da8bd9a8586c2dfa80b9f146870010ab7ae5e1e5bc8b8e11d2

Download Submit
memory/1512-54-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/1512-67-0x0000000004F00000-0x00000000050ED000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing