9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9

General

Target

9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Size

2.2MB
MD5

5ab794eb8bc239653d2bbcec8476f311
SHA1

b0539ae623e9918fd3087615deaca305886cbeba
SHA256

9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9
SHA512

c238bb0697aec42199040d97d8b588e27f5dfa3c61196fb10415ea61e5be9b55ad49e960db29d697bc6166750345aa2d27e4021dd6770aae48a5f64862b6dc2d

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe

description ioc process

File opened for modification \??\PhysicalDrive0 9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "1"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "11000"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "1"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "0"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "1"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "1"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "0"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "1"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "1"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "0"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "1"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "0"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "0"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "0"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe = "0"	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe

pid	process
1736	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
1736	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
1736	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
1736	9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe

C:\Users\Admin\AppData\Local\Temp\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe
"C:\Users\Admin\AppData\Local\Temp\9bf0c7e45a534b3eea3c5242f5068b3ebbeaf0351b21a8f0e0e8d3eec75960a9.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-54-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing