d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98

General

Target

d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe
Size

16KB
MD5

d51ebbfd2b0b1d0fa237212c183770c4
SHA1

b063f620d68f26f8411045024f631c7a20bb9bc9
SHA256

d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98
SHA512

6cd1ff448bcc1f7367b7ed156b368d68abba5a5d91b043bcb5151f61ca14327dcf83a4af614188de2adbf442f24ef8526f161f373cf78685c994e655a5d0a01b
SSDEEP

384:3at4aSo1+esbKvlJCHJkXnY0bGgFIUXfUGzh6js7lNTn6MIy2:6So1Q4wk3Y0I+gsDn6MI9

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B74B7929-37F6-11ED-A0EE-7A46CE8ECE48} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\NoActivateHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic\ = "AppProperties"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\BrowserFlags = "16"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec\ = "[]"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ExplorerFlags = "18"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command\ = "%SystemRoot%\\Explorer.exe /idlist,%I,%L"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ = "[ViewFolder(\"%l\", %I, %S)]"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application\ = "Folders"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2716	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3932	d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe
3932	d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
308	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3932	d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe
308	iexplore.exe
308	iexplore.exe
3132	IEXPLORE.EXE
3132	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 4992	3932	d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe	85
PID 3932 wrote to memory of 4992	3932	d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe	85
PID 3932 wrote to memory of 4992	3932	d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe	85
PID 3932 wrote to memory of 308	3932	d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe	87
PID 3932 wrote to memory of 308	3932	d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe	87
PID 4992 wrote to memory of 2716	4992	cmd.exe	88
PID 4992 wrote to memory of 2716	4992	cmd.exe	88
PID 4992 wrote to memory of 2716	4992	cmd.exe	88
PID 308 wrote to memory of 3132	308	iexplore.exe	89
PID 308 wrote to memory of 3132	308	iexplore.exe	89
PID 308 wrote to memory of 3132	308	iexplore.exe	89

C:\Users\Admin\AppData\Local\Temp\d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe
"C:\Users\Admin\AppData\Local\Temp\d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:2716
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://union.wanwan.cc/Stat.ashx?Mac=0046CE8ECE48&Hard=QM00013&ClientType=Home&Process=86&UserID=0030&Authen=803-465
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:308 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\getback.reg

Filesize
1KB

MD5
626e2d76f5c328d57a3eff6a7f94d129

SHA1
210fd33fa005775b30a8fd40a065a2e788934216

SHA256
5d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e

SHA512
629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1

Download Submit
memory/3932-132-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3932-138-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing