e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2

General

Target

e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe
Size

1.3MB
MD5

e94789d1b75d6520283673c75aabddb2
SHA1

6b34ff2a184980cd36ed962b24610201ce2e9708
SHA256

e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2
SHA512

b48f690de562ba2115de6b38868aaece4ccf9b9fdd2934120d5211bdc969291d38e5bbdb0817d8a579853d05feac7096119f27fd297044ab3a9fc83f0f77e6de

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

downloader.exe

pid process

828 downloader.exe
Loads dropped DLL 3 IoCs

Processes:

e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exedownloader.exe

pid process

1704 e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe
828 downloader.exe
828 downloader.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

downloader.exe

description ioc process

File opened for modification \??\PhysicalDrive0 downloader.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2028 systeminfo.exe

pid	process
828	downloader.exe

pid	process
1704	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe
828	downloader.exe
828	downloader.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	downloader.exe

pid	process
2028	systeminfo.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exedownloader.execmd.exe

description	pid	process	target process
PID 1704 wrote to memory of 828	1704	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 1704 wrote to memory of 828	1704	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 1704 wrote to memory of 828	1704	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 1704 wrote to memory of 828	1704	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 1704 wrote to memory of 828	1704	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 1704 wrote to memory of 828	1704	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 1704 wrote to memory of 828	1704	e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe	downloader.exe
PID 828 wrote to memory of 2032	828	downloader.exe	cmd.exe
PID 828 wrote to memory of 2032	828	downloader.exe	cmd.exe
PID 828 wrote to memory of 2032	828	downloader.exe	cmd.exe
PID 828 wrote to memory of 2032	828	downloader.exe	cmd.exe
PID 828 wrote to memory of 2032	828	downloader.exe	cmd.exe
PID 828 wrote to memory of 2032	828	downloader.exe	cmd.exe
PID 828 wrote to memory of 2032	828	downloader.exe	cmd.exe
PID 2032 wrote to memory of 2028	2032	cmd.exe	systeminfo.exe
PID 2032 wrote to memory of 2028	2032	cmd.exe	systeminfo.exe
PID 2032 wrote to memory of 2028	2032	cmd.exe	systeminfo.exe
PID 2032 wrote to memory of 2028	2032	cmd.exe	systeminfo.exe
PID 2032 wrote to memory of 2028	2032	cmd.exe	systeminfo.exe
PID 2032 wrote to memory of 2028	2032	cmd.exe	systeminfo.exe
PID 2032 wrote to memory of 2028	2032	cmd.exe	systeminfo.exe
PID 2032 wrote to memory of 1808	2032	cmd.exe	findstr.exe
PID 2032 wrote to memory of 1808	2032	cmd.exe	findstr.exe
PID 2032 wrote to memory of 1808	2032	cmd.exe	findstr.exe
PID 2032 wrote to memory of 1808	2032	cmd.exe	findstr.exe
PID 2032 wrote to memory of 1808	2032	cmd.exe	findstr.exe
PID 2032 wrote to memory of 1808	2032	cmd.exe	findstr.exe
PID 2032 wrote to memory of 1808	2032	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe
"C:\Users\Admin\AppData\Local\Temp\e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exe
.\downloader.exe %%S
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
/k systeminfo | findstr /c:"Model:" /c:"Host Name" /c:"OS Name"
3⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\findstr.exe
findstr /c:"Model:" /c:"Host Name" /c:"OS Name"
4⤵
PID:1808

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exe
Filesize
44KB

MD5
e4a71382cdc6b91ba0e62fc6d442b7b7

SHA1
702815153f22f61ed2a4035cd959a602d395f04d

SHA256
0a29f047924a301df22759a1d71f6b863994a67c982cf5523c95547f66ae8bcd

SHA512
feef6d6346110272f8786822611acfb717e8d7ba4240ed7e0b6a6eea2f64c0e4690d2f18a0ddbbfcf672066bd8e9104b0765a0f1e41d91b3ba1a826d9e2e3611

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exe
Filesize
60KB

MD5
6779ded002d2eded26f730325db32106

SHA1
070548cfa3b0b77d9cc6c6db12870f86d0ad3de0

SHA256
8f9b4bbe4bc16345435df272b69e1debe12a47611d845492b05ba31f412401b5

SHA512
41ee5ac5f27692acb96a3b17836a24016049ac089d32500483bfe348435d7a839fb3c27d4f9a1abd29073c5b53100b86634af251e235b7f33492b74c8a94f436

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exe
Filesize
71KB

MD5
b5b300b8e74732e5a12adcde960d06ad

SHA1
f90987a9e56ed8756a08fcae63e32e3bdac4386b

SHA256
a1703041cba69b61fad14a517e60572f52d33e7c21357a817154dfb07c082e9c

SHA512
b0e4c8f66282f6a07cb9deeb0a4a5cb24d9c1eb6c5eed12ceac8338fdba2342f9b8572a8b3caebddbcaa56ee5609c7aedbac66f3f4f11722301af8ce98213fd6

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exe
Filesize
73KB

MD5
e66b8bea3f965a3ca5a13f0bfd793e23

SHA1
06634b2ba347de9d81338a1d18e49997c4df26a4

SHA256
d3da2aafdd18f66e759b0b892d367a2eb25043e1aa13e144e02c7d9a5c4e51f2

SHA512
1ba9fb04dcd6863ec0bfdf20e007084b41ce44acdc533737b6423bc18b22b513104067b7bd1ab20dfeb9093bea2f6b13952f69272e32d0a118931b36344fa2aa

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exe
Filesize
57KB

MD5
e639236d8784dd65fd4d4af02a529638

SHA1
c6778408231f455af2dbdb0b9e61e319dccc3eaa

SHA256
9c631da047369ff9afdda337ced8274fc816e04f791dd59f98fc28f5f88661b9

SHA512
58ec109b0513ce2ab91031457d3d6d20db4af0e0ef6879bddc19db6622887f92ac02a8da2bde9d25dc7235ef307c60ea1fec58ed862832017a634a35bda4f9fa

Download Submit
memory/828-56-0x0000000000000000-mapping.dmp

Download
memory/1704-54-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1808-65-0x0000000000000000-mapping.dmp

Download
memory/2028-64-0x0000000000000000-mapping.dmp

Download
memory/2032-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing