261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da

General

Target

261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe
Size

578KB
MD5

d74c5e0c9d288faa8b3df90a42f1ed67
SHA1

ffb778ad8b96a78da8660af132ed2e7b67131ecc
SHA256

261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da
SHA512

979510f36159a6444e155fb3f26a2e4f436fbde624149974d6f8dadb202d9958d0e68a9a1f5eaeeece61c817ef21fc8e3475b7dde48d8cbeb470b94268683621

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

MBRWiz.exebootsect.exe

pid process

2164 MBRWiz.exe
4116 bootsect.exe

pid	process
2164	MBRWiz.exe
4116	bootsect.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

MBRWiz.exe

description ioc process

File opened (read-only) \??\D: MBRWiz.exe

description	ioc	process
File opened (read-only)	\??\D:	MBRWiz.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MBRWiz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MBRWiz.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MBRWiz.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MBRWiz.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MBRWiz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

MBRWiz.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 MBRWiz.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MBRWiz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	MBRWiz.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.execmd.exe

description	pid	process	target process
PID 324 wrote to memory of 4396	324	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 324 wrote to memory of 4396	324	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 324 wrote to memory of 4396	324	261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe	cmd.exe
PID 4396 wrote to memory of 2164	4396	cmd.exe	MBRWiz.exe
PID 4396 wrote to memory of 2164	4396	cmd.exe	MBRWiz.exe
PID 4396 wrote to memory of 2164	4396	cmd.exe	MBRWiz.exe
PID 4396 wrote to memory of 4116	4396	cmd.exe	bootsect.exe
PID 4396 wrote to memory of 4116	4396	cmd.exe	bootsect.exe
PID 4396 wrote to memory of 4116	4396	cmd.exe	bootsect.exe

C:\Users\Admin\AppData\Local\Temp\261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe
"C:\Users\Admin\AppData\Local\Temp\261aeadbb84c2a2b693d72ee9a9eb61987c670daf5a03d1e0a78de1f8abc20da.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sources\usbsetup.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe
mbrwiz /vol=C: /active /confirm
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
PID:2164

C:\Users\Admin\AppData\Local\Temp\sources\bootsect.exe
bootsect /nt60 C:
3⤵
- Executes dropped EXE
PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe
Filesize
209KB

MD5
8750f91801c31fb3636f9ce127d26ae0

SHA1
f5d610da75ad0718ab226b8e7c1eefa0738edc8f

SHA256
bd77f4b7fd8fc1cc39fa82d823b7664f57ff4197763c2d57fb9c28c6c1f9c8aa

SHA512
cd575ace9887a90e180aa8089d8fe168367b906b5b28b8269944dcb873769b345277ad351cead98202da83f66eacadfe29921d188df8b33b13fbbf51ffe5842d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sources\MBRWiz.exe
Filesize
209KB

MD5
8750f91801c31fb3636f9ce127d26ae0

SHA1
f5d610da75ad0718ab226b8e7c1eefa0738edc8f

SHA256
bd77f4b7fd8fc1cc39fa82d823b7664f57ff4197763c2d57fb9c28c6c1f9c8aa

SHA512
cd575ace9887a90e180aa8089d8fe168367b906b5b28b8269944dcb873769b345277ad351cead98202da83f66eacadfe29921d188df8b33b13fbbf51ffe5842d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sources\bootsect.exe
Filesize
95KB

MD5
748e3755d83e56206f810be3626c88b2

SHA1
886c338a07430db91345210c00c0722de4885588

SHA256
33d3a70c9bbf9796a0b0575023b758f495135c14cfec0140d692d27fe2255c19

SHA512
5b8eb0a0fe2c69dede77ea6f8e43fcd1d894d88ea1913d70d8b45ca75d9b80d46f49af25cd9f6e2914f94ef64c9b4d309e9173addc83d46f84814532856c7560

Download Submit
C:\Users\Admin\AppData\Local\Temp\sources\bootsect.exe
Filesize
95KB

MD5
748e3755d83e56206f810be3626c88b2

SHA1
886c338a07430db91345210c00c0722de4885588

SHA256
33d3a70c9bbf9796a0b0575023b758f495135c14cfec0140d692d27fe2255c19

SHA512
5b8eb0a0fe2c69dede77ea6f8e43fcd1d894d88ea1913d70d8b45ca75d9b80d46f49af25cd9f6e2914f94ef64c9b4d309e9173addc83d46f84814532856c7560

Download Submit
C:\Users\Admin\AppData\Local\Temp\sources\usbsetup.cmd
Filesize
91B

MD5
2721ea31c2c1cb23943487485e856f15

SHA1
16fd43ada69c4ebf07cb2fbd73d29effcda69aaa

SHA256
2918322c28413b3fe901a356608067d8ceb4195d9cb95a110eeb78d1d1d72fb4

SHA512
a20e571cfd419826e4b4aea35f5996c18dc19b3fc1b7f57913d156c504592aa5f52343a26d8bc025bc92cac424ff0b9f1f64e8a1fb6f361fa6c97648099cc11f

Download Submit
memory/2164-132-0x0000000000000000-mapping.dmp

Download
memory/4116-135-0x0000000000000000-mapping.dmp

Download
memory/4396-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads