261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe
Size

578KB
MD5

d74c5e0c9d288faa8b3df90a42f1ed67
SHA1

ffb778ad8b96a78da8660af132ed2e7b67131ecc
SHA256

261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da
SHA512

979510f36159a6444e155fb3f26a2e4f436fbde624149974d6f8dadb202d9958d0e68a9a1f5eaeeece61c817ef21fc8e3475b7dde48d8cbeb470b94268683621

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

MBRWiz.exebootsect.exe

pid process

1248 MBRWiz.exe
2020 bootsect.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exe

pid process

1324 cmd.exe
1324 cmd.exe
1324 cmd.exe
1324 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MBRWiz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MBRWiz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1248	MBRWiz.exe
2020	bootsect.exe

pid	process
1324	cmd.exe
1324	cmd.exe
1324	cmd.exe
1324	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MBRWiz.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.execmd.exe

description	pid	process	target process
PID 1808 wrote to memory of 1324	1808	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 1808 wrote to memory of 1324	1808	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 1808 wrote to memory of 1324	1808	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 1808 wrote to memory of 1324	1808	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 1808 wrote to memory of 1324	1808	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 1808 wrote to memory of 1324	1808	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 1808 wrote to memory of 1324	1808	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 1324 wrote to memory of 1248	1324	cmd.exe	MBRWiz.exe
PID 1324 wrote to memory of 1248	1324	cmd.exe	MBRWiz.exe
PID 1324 wrote to memory of 1248	1324	cmd.exe	MBRWiz.exe
PID 1324 wrote to memory of 1248	1324	cmd.exe	MBRWiz.exe
PID 1324 wrote to memory of 1248	1324	cmd.exe	MBRWiz.exe
PID 1324 wrote to memory of 1248	1324	cmd.exe	MBRWiz.exe
PID 1324 wrote to memory of 1248	1324	cmd.exe	MBRWiz.exe
PID 1324 wrote to memory of 2020	1324	cmd.exe	bootsect.exe
PID 1324 wrote to memory of 2020	1324	cmd.exe	bootsect.exe
PID 1324 wrote to memory of 2020	1324	cmd.exe	bootsect.exe
PID 1324 wrote to memory of 2020	1324	cmd.exe	bootsect.exe
PID 1324 wrote to memory of 2020	1324	cmd.exe	bootsect.exe
PID 1324 wrote to memory of 2020	1324	cmd.exe	bootsect.exe
PID 1324 wrote to memory of 2020	1324	cmd.exe	bootsect.exe

C:\Users\Admin\AppData\Local\Temp\261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe
"C:\Users\Admin\AppData\Local\Temp\261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sources\usbsetup.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe
    mbrwiz /vol=C: /active /confirm
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1248
- - C:\Users\Admin\AppData\Local\Temp\sources\bootsect.exe
    bootsect /nt60 C:
    3⤵
    - Executes dropped EXE
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe

Filesize
209KB

MD5
8750f91801c31fb3636f9ce127d26ae0

SHA1
f5d610da75ad0718ab226b8e7c1eefa0738edc8f

SHA256
bd77f4b7fd8fc1cc39fa82d823b7664f57ff4197763c2d57fb9c28c6c1f9c8aa

SHA512
cd575ace9887a90e180aa8089d8fe168367b906b5b28b8269944dcb873769b345277ad351cead98202da83f66eacadfe29921d188df8b33b13fbbf51ffe5842d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe

Filesize
209KB

MD5
8750f91801c31fb3636f9ce127d26ae0

SHA1
f5d610da75ad0718ab226b8e7c1eefa0738edc8f

SHA256
bd77f4b7fd8fc1cc39fa82d823b7664f57ff4197763c2d57fb9c28c6c1f9c8aa

SHA512
cd575ace9887a90e180aa8089d8fe168367b906b5b28b8269944dcb873769b345277ad351cead98202da83f66eacadfe29921d188df8b33b13fbbf51ffe5842d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sources\bootsect.exe

Filesize
95KB

MD5
748e3755d83e56206f810be3626c88b2

SHA1
886c338a07430db91345210c00c0722de4885588

SHA256
33d3a70c9bbf9796a0b0575023b758f495135c14cfec0140d692d27fe2255c19

SHA512
5b8eb0a0fe2c69dede77ea6f8e43fcd1d894d88ea1913d70d8b45ca75d9b80d46f49af25cd9f6e2914f94ef64c9b4d309e9173addc83d46f84814532856c7560

Download Submit
C:\Users\Admin\AppData\Local\Temp\sources\bootsect.exe

Filesize
95KB

MD5
748e3755d83e56206f810be3626c88b2

SHA1
886c338a07430db91345210c00c0722de4885588

SHA256
33d3a70c9bbf9796a0b0575023b758f495135c14cfec0140d692d27fe2255c19

SHA512
5b8eb0a0fe2c69dede77ea6f8e43fcd1d894d88ea1913d70d8b45ca75d9b80d46f49af25cd9f6e2914f94ef64c9b4d309e9173addc83d46f84814532856c7560

Download Submit
C:\Users\Admin\AppData\Local\Temp\sources\usbsetup.cmd

Filesize
91B

MD5
2721ea31c2c1cb23943487485e856f15

SHA1
16fd43ada69c4ebf07cb2fbd73d29effcda69aaa

SHA256
2918322c28413b3fe901a356608067d8ceb4195d9cb95a110eeb78d1d1d72fb4

SHA512
a20e571cfd419826e4b4aea35f5996c18dc19b3fc1b7f57913d156c504592aa5f52343a26d8bc025bc92cac424ff0b9f1f64e8a1fb6f361fa6c97648099cc11f

Download Submit
\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe

Filesize
209KB

MD5
8750f91801c31fb3636f9ce127d26ae0

SHA1
f5d610da75ad0718ab226b8e7c1eefa0738edc8f

SHA256
bd77f4b7fd8fc1cc39fa82d823b7664f57ff4197763c2d57fb9c28c6c1f9c8aa

SHA512
cd575ace9887a90e180aa8089d8fe168367b906b5b28b8269944dcb873769b345277ad351cead98202da83f66eacadfe29921d188df8b33b13fbbf51ffe5842d

Download Submit
\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe

Filesize
209KB

MD5
8750f91801c31fb3636f9ce127d26ae0

SHA1
f5d610da75ad0718ab226b8e7c1eefa0738edc8f

SHA256
bd77f4b7fd8fc1cc39fa82d823b7664f57ff4197763c2d57fb9c28c6c1f9c8aa

SHA512
cd575ace9887a90e180aa8089d8fe168367b906b5b28b8269944dcb873769b345277ad351cead98202da83f66eacadfe29921d188df8b33b13fbbf51ffe5842d

Download Submit
\Users\Admin\AppData\Local\Temp\sources\bootsect.exe

Filesize
95KB

MD5
748e3755d83e56206f810be3626c88b2

SHA1
886c338a07430db91345210c00c0722de4885588

SHA256
33d3a70c9bbf9796a0b0575023b758f495135c14cfec0140d692d27fe2255c19

SHA512
5b8eb0a0fe2c69dede77ea6f8e43fcd1d894d88ea1913d70d8b45ca75d9b80d46f49af25cd9f6e2914f94ef64c9b4d309e9173addc83d46f84814532856c7560

Download Submit
\Users\Admin\AppData\Local\Temp\sources\bootsect.exe

Filesize
95KB

MD5
748e3755d83e56206f810be3626c88b2

SHA1
886c338a07430db91345210c00c0722de4885588

SHA256
33d3a70c9bbf9796a0b0575023b758f495135c14cfec0140d692d27fe2255c19

SHA512
5b8eb0a0fe2c69dede77ea6f8e43fcd1d894d88ea1913d70d8b45ca75d9b80d46f49af25cd9f6e2914f94ef64c9b4d309e9173addc83d46f84814532856c7560

Download Submit
memory/1248-61-0x0000000000000000-mapping.dmp

Download
memory/1324-55-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/2020-67-0x0000000000000000-mapping.dmp

Download