1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-05-2022 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
Size

7.4MB
MD5

12b95b6050d0cacd4a28cd8adc49e832
SHA1

e2b9443ec49eb4907fe4fb7c3ed2da3c6d0ab810
SHA256

1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862
SHA512

f07eb61343a3afede343cc9f6583fcb7b6e77e7819a34af03a8a677aeb4f52285cda890cf80c9b442e811ddf696d6715b2eb1596cc162710eb884d873f2163af

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

ComInfo.dllShowDrive.dl_ShowEFI.dl_Getptw.dll

pid process

1808 ComInfo.dll
708 ShowDrive.dl_
2220 ShowEFI.dl_
4804 Getptw.dll

pid	process
1808	ComInfo.dll
708	ShowDrive.dl_
2220	ShowEFI.dl_
4804	Getptw.dll

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WININST~145\ComInfo.dll	upx
C:\Users\Admin\AppData\Roaming\WININST~145\ComInfo.dll	upx

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exeShowDrive.dl_

description	ioc	process
File opened (read-only)	\??\e:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\f:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\g:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\j:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\q:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\r:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\w:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\a:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\z:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\n:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\p:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\t:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\x:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\y:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\D:	ShowDrive.dl_
File opened (read-only)	\??\l:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\h:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\k:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\m:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\s:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\u:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\b:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\o:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\v:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
File opened (read-only)	\??\i:	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

ComInfo.dllShowEFI.dl_Getptw.dll

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ComInfo.dll
File opened for modification	\??\PhysicalDrive0	ShowEFI.dl_
File opened for modification	\??\PhysicalDrive0	Getptw.dll

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe

NTFS ADS 1 IoCs

Processes:

ComInfo.dll

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 ComInfo.dll
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Getptw.dll

pid process

4804 Getptw.dll
4804 Getptw.dll
4804 Getptw.dll
4804 Getptw.dll
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe

pid process

1540 1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	ComInfo.dll

pid	process
4804	Getptw.dll
4804	Getptw.dll
4804	Getptw.dll
4804	Getptw.dll

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exeComInfo.dll

pid	process
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1808	ComInfo.dll
1808	ComInfo.dll
1808	ComInfo.dll
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exeComInfo.dll

pid	process
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1808	ComInfo.dll
1808	ComInfo.dll
1808	ComInfo.dll
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1540 wrote to memory of 1808	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	ComInfo.dll
PID 1540 wrote to memory of 1808	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	ComInfo.dll
PID 1540 wrote to memory of 1808	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	ComInfo.dll
PID 1540 wrote to memory of 1776	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	cmd.exe
PID 1540 wrote to memory of 1776	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	cmd.exe
PID 1540 wrote to memory of 1776	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	cmd.exe
PID 1776 wrote to memory of 708	1776	cmd.exe	ShowDrive.dl_
PID 1776 wrote to memory of 708	1776	cmd.exe	ShowDrive.dl_
PID 1776 wrote to memory of 708	1776	cmd.exe	ShowDrive.dl_
PID 1540 wrote to memory of 4776	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	cmd.exe
PID 1540 wrote to memory of 4776	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	cmd.exe
PID 1540 wrote to memory of 4776	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	cmd.exe
PID 4776 wrote to memory of 2220	4776	cmd.exe	ShowEFI.dl_
PID 4776 wrote to memory of 2220	4776	cmd.exe	ShowEFI.dl_
PID 1540 wrote to memory of 2376	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	cmd.exe
PID 1540 wrote to memory of 2376	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	cmd.exe
PID 1540 wrote to memory of 2376	1540	1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe	cmd.exe
PID 2376 wrote to memory of 4804	2376	cmd.exe	Getptw.dll
PID 2376 wrote to memory of 4804	2376	cmd.exe	Getptw.dll
PID 2376 wrote to memory of 4804	2376	cmd.exe	Getptw.dll

C:\Users\Admin\AppData\Local\Temp\1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe
"C:\Users\Admin\AppData\Local\Temp\1c1e78e8633a5e4408bbd5d3c641ff2af2a457084e6a19e2c4fc5a196867e862.exe"
1⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\WININST~145\ComInfo.dll
C:\Users\Admin\AppData\Roaming\WININST~145\ComInfo.dll
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WININST~145\ShowDrive.dl_ *
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Roaming\WININST~145\ShowDrive.dl_
C:\Users\Admin\AppData\Roaming\WININST~145\ShowDrive.dl_ *
3⤵
- Executes dropped EXE
- Enumerates connected drives
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WININST~145\ShowEFI.dl_
2⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Roaming\WININST~145\ShowEFI.dl_
C:\Users\Admin\AppData\Roaming\WININST~145\ShowEFI.dl_
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WININST~145\Getptw.dll -a/part
2⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Roaming\WININST~145\Getptw.dll
C:\Users\Admin\AppData\Roaming\WININST~145\Getptw.dll -a/part
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WININST~145\ComInfo.dll
Filesize
491KB

MD5
21b0345bde3fd0a5ef01e493f83ae784

SHA1
c059a60f3a24f496fd36d6fb9742b28ccd7fb81d

SHA256
abc52fc80a21914f6cd1f0412bbdaf0e19789bd0e98e4086bdff2386f555f520

SHA512
4f29b14b09ff8f4969bb6554499bd6515c0829a360a8f6ab935435df2fca8a40325d1e340ebb16fb3aa23084e2e1c95ba8406dfd4b23cd5978026890eb805e4a

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~145\ComInfo.dll
Filesize
491KB

MD5
21b0345bde3fd0a5ef01e493f83ae784

SHA1
c059a60f3a24f496fd36d6fb9742b28ccd7fb81d

SHA256
abc52fc80a21914f6cd1f0412bbdaf0e19789bd0e98e4086bdff2386f555f520

SHA512
4f29b14b09ff8f4969bb6554499bd6515c0829a360a8f6ab935435df2fca8a40325d1e340ebb16fb3aa23084e2e1c95ba8406dfd4b23cd5978026890eb805e4a

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~145\Computer.dll
Filesize
65KB

MD5
d2deb68665c0a7226099b555aad6fada

SHA1
ec6cf6cf3a819e7b44ee9a89f4fc614468681a78

SHA256
36a9ce3cb5e9527e3c2fe89c617df008aeaef3745c7a4c3f0a6584b862c1bb10

SHA512
296a521a3d3252849e354c4a99984e5c902ca86fb767647311cd05d9868d7a291ae9e58e79c6ed8387531f8c44303352e0ffd8be18ae3d15560b83582ff07a96

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~145\Getptw.dll
Filesize
21KB

MD5
94d297ccb80b1f7940ea98ffdfc25257

SHA1
9461b88f14384e5e5a0dd0147552e81bf5dbfa1e

SHA256
dd4694e89ae067e49e4f9581782a277eb0fab052aa1539717fecf8449a872f75

SHA512
303f81ffc71d5aa8a8ce733c9104d5e4172c098a78f78baac001a90161493f21c907bc49dc28a6424596862deec9311e12bdd3d92df8ba08c041786b262b4256

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~145\Getptw.dll
Filesize
21KB

MD5
94d297ccb80b1f7940ea98ffdfc25257

SHA1
9461b88f14384e5e5a0dd0147552e81bf5dbfa1e

SHA256
dd4694e89ae067e49e4f9581782a277eb0fab052aa1539717fecf8449a872f75

SHA512
303f81ffc71d5aa8a8ce733c9104d5e4172c098a78f78baac001a90161493f21c907bc49dc28a6424596862deec9311e12bdd3d92df8ba08c041786b262b4256

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~145\ShowDrive.dl_
Filesize
4KB

MD5
63f0697283a67db3f50b440f142044ed

SHA1
ea3ceae6750d9a481bf88012adfab874bcb67f80

SHA256
09c07db40dacd999e726786fc9a8f5e37688d94997f2692da63746f417851f0f

SHA512
967ca158809ecfc2baf99092f425876e137842b96446ca4b5b61fb75a244e479e739049895289de70b7656e5fafd1cb792ac1ce5d8eeb015e6ede7224898a028

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~145\ShowDrive.dl_
Filesize
4KB

MD5
63f0697283a67db3f50b440f142044ed

SHA1
ea3ceae6750d9a481bf88012adfab874bcb67f80

SHA256
09c07db40dacd999e726786fc9a8f5e37688d94997f2692da63746f417851f0f

SHA512
967ca158809ecfc2baf99092f425876e137842b96446ca4b5b61fb75a244e479e739049895289de70b7656e5fafd1cb792ac1ce5d8eeb015e6ede7224898a028

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~145\ShowEFI.dl_
Filesize
19KB

MD5
5aadc3b8ad1735a7a0e89c574e90c50f

SHA1
7370502043a42d434632f7221fbea2a7062f1f84

SHA256
cfe2144727f11e2cfb42e64be6773ad58cd6f6036c3027a2b9aad2c40946734f

SHA512
3e1c83824e2e58378e5e48399959f75addd251a83d6f01612f37c647cb940a6afbd7fed935f62ee9a02d2bddfb806f212c948f93b10463cb61795970b774be3e

Download Submit
C:\Users\Admin\AppData\Roaming\WININST~145\ShowEFI.dl_
Filesize
19KB

MD5
5aadc3b8ad1735a7a0e89c574e90c50f

SHA1
7370502043a42d434632f7221fbea2a7062f1f84

SHA256
cfe2144727f11e2cfb42e64be6773ad58cd6f6036c3027a2b9aad2c40946734f

SHA512
3e1c83824e2e58378e5e48399959f75addd251a83d6f01612f37c647cb940a6afbd7fed935f62ee9a02d2bddfb806f212c948f93b10463cb61795970b774be3e

Download Submit
memory/708-134-0x0000000000000000-mapping.dmp

Download
memory/1776-133-0x0000000000000000-mapping.dmp

Download
memory/1808-130-0x0000000000000000-mapping.dmp

Download
memory/2220-138-0x0000000000000000-mapping.dmp

Download
memory/2376-141-0x0000000000000000-mapping.dmp

Download
memory/4776-137-0x0000000000000000-mapping.dmp

Download
memory/4804-142-0x0000000000000000-mapping.dmp

Download