c14ee4f1e06946f64232129871aaa5dcdcf7128a2eb4672c9b30b96a8726b431

General

Target

c14ee4f1e06946f64232129871aaa5dcdcf7128a2eb4672c9b30b96a8726b431.exe
Size

1.3MB
MD5

d41f529fba6738e153cfe3e127aeb235
SHA1

4e86b14c66f8ddc363ad437e1bfa3e5c2bde9a10
SHA256

c14ee4f1e06946f64232129871aaa5dcdcf7128a2eb4672c9b30b96a8726b431
SHA512

318ce2c3fb880348a2ddefa07d7c7b628609ef6342da66d0456bea392865c9d2318060a96218b32380708a2260882b2922875b00e4927c45735ad6feaf9d856b

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

downloader.exe

pid process

636 downloader.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

downloader.exe

description ioc process

File opened for modification \??\PhysicalDrive0 downloader.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2584 systeminfo.exe

pid	process
636	downloader.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	downloader.exe

pid	process
2584	systeminfo.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c14ee4f1e06946f64232129871aaa5dcdcf7128a2eb4672c9b30b96a8726b431.exedownloader.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 636	1448	c14ee4f1e06946f64232129871aaa5dcdcf7128a2eb4672c9b30b96a8726b431.exe	downloader.exe
PID 1448 wrote to memory of 636	1448	c14ee4f1e06946f64232129871aaa5dcdcf7128a2eb4672c9b30b96a8726b431.exe	downloader.exe
PID 1448 wrote to memory of 636	1448	c14ee4f1e06946f64232129871aaa5dcdcf7128a2eb4672c9b30b96a8726b431.exe	downloader.exe
PID 636 wrote to memory of 4724	636	downloader.exe	cmd.exe
PID 636 wrote to memory of 4724	636	downloader.exe	cmd.exe
PID 636 wrote to memory of 4724	636	downloader.exe	cmd.exe
PID 4724 wrote to memory of 2584	4724	cmd.exe	systeminfo.exe
PID 4724 wrote to memory of 2584	4724	cmd.exe	systeminfo.exe
PID 4724 wrote to memory of 2584	4724	cmd.exe	systeminfo.exe
PID 4724 wrote to memory of 4868	4724	cmd.exe	findstr.exe
PID 4724 wrote to memory of 4868	4724	cmd.exe	findstr.exe
PID 4724 wrote to memory of 4868	4724	cmd.exe	findstr.exe

C:\Users\Admin\AppData\Local\Temp\c14ee4f1e06946f64232129871aaa5dcdcf7128a2eb4672c9b30b96a8726b431.exe
"C:\Users\Admin\AppData\Local\Temp\c14ee4f1e06946f64232129871aaa5dcdcf7128a2eb4672c9b30b96a8726b431.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\7zSB914.tmp\downloader.exe
.\downloader.exe %%S
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\cmd.exe
/k systeminfo | findstr /c:"Model:" /c:"Host Name" /c:"OS Name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2584

C:\Windows\SysWOW64\findstr.exe
findstr /c:"Model:" /c:"Host Name" /c:"OS Name"
4⤵
PID:4868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSB914.tmp\downloader.exe
Filesize
3.1MB

MD5
ad9566beec8757fe727f268e7bd2d43d

SHA1
9fc0c813965244403b93c657f43010ffc32b16bf

SHA256
984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd

SHA512
45288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB914.tmp\downloader.exe
Filesize
3.1MB

MD5
ad9566beec8757fe727f268e7bd2d43d

SHA1
9fc0c813965244403b93c657f43010ffc32b16bf

SHA256
984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd

SHA512
45288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef

Download Submit
memory/636-130-0x0000000000000000-mapping.dmp

Download
memory/2584-134-0x0000000000000000-mapping.dmp

Download
memory/4724-133-0x0000000000000000-mapping.dmp

Download
memory/4868-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing