e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f

General

Target

e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Size

2.2MB
MD5

01d01d6273f61ea49fa0fa9ef8984564
SHA1

34befd8bd72b58da9fb5318c4ea4bc4f7e4dddec
SHA256

e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f
SHA512

1946bdcab2a1fb2fc1006029e06296f53a49bceaa32b55a837a3473a57230c5ecf674b2229935a157aef370541568c574fa4211d471f3de4e5aadba02fab8cdb

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe

description ioc process

File opened for modification \??\PhysicalDrive0 e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "1"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "1"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "1"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "0"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "1"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "11000"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "1"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "0"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "0"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "1"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "0"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "0"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "0"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "1"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe = "0"	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe

pid	process
904	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
904	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
904	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
904	e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe

C:\Users\Admin\AppData\Local\Temp\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe
"C:\Users\Admin\AppData\Local\Temp\e1349328fba0e2f1facd3172110f5f239df71af1fe5dd400c8f12b6782144d5f.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-54-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing