0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

Reason

Machine shutdown

General

Target

0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe
Size

46KB
MD5

2dd14afcc7e1566980af3e1485109f9c
SHA1

77fb3de68b63bd8e0a05277dc6b858fa7384a860
SHA256

0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f
SHA512

fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0
SSDEEP

768:0C38y4disgWSU1YlmDPoYSbRR9P+srOTrG:0CR4ggSU1Y4PoB+sC

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1328	x2z8.exe
1316	x2z8.exe

Deletes itself 1 IoCs

pid	Process
1316	x2z8.exe

Loads dropped DLL 3 IoCs

pid	Process
1648	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe
1648	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe
1328	x2z8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe
File opened for modification	\??\PHYSICALDRIVE0	x2z8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1648	1752	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	28
PID 1328 set thread context of 1316	1328	x2z8.exe	30

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1316	x2z8.exe
Token: 33	1464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1464	AUDIODG.EXE
Token: 33	1464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1464	AUDIODG.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1648	1752	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	28
PID 1752 wrote to memory of 1648	1752	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	28
PID 1752 wrote to memory of 1648	1752	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	28
PID 1752 wrote to memory of 1648	1752	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	28
PID 1752 wrote to memory of 1648	1752	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	28
PID 1752 wrote to memory of 1648	1752	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	28
PID 1648 wrote to memory of 1328	1648	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	29
PID 1648 wrote to memory of 1328	1648	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	29
PID 1648 wrote to memory of 1328	1648	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	29
PID 1648 wrote to memory of 1328	1648	0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe	29
PID 1328 wrote to memory of 1316	1328	x2z8.exe	30
PID 1328 wrote to memory of 1316	1328	x2z8.exe	30
PID 1328 wrote to memory of 1316	1328	x2z8.exe	30
PID 1328 wrote to memory of 1316	1328	x2z8.exe	30
PID 1328 wrote to memory of 1316	1328	x2z8.exe	30
PID 1328 wrote to memory of 1316	1328	x2z8.exe	30

C:\Users\Admin\AppData\Local\Temp\0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe
"C:\Users\Admin\AppData\Local\Temp\0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe
  "C:\Users\Admin\AppData\Local\Temp\0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
    C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
      "C:\Users\Admin\AppData\Local\Temp\x2z8.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Writes to the Master Boot Record (MBR)
      Suspicious use of AdjustPrivilegeToken
      PID:1316

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.txt

Filesize
102B

MD5
89f26c68f71323d51c7c61fad807955f

SHA1
93b4d24ee03d702cabc3bfe02e24dadc0a7b689f

SHA256
87d0767ec44e138da222453596dbb86f62dd1c23685ec17cf9d66e0af56640d4

SHA512
6a800f63b020424230e82359c8a9fa959b3ad2db73c4c7bccb4c5e3bf4fea4f5ab9ead55b5b9a9ef3c07ea1be127ec5aefd9d11229de5ceb1b9e84c66f313ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
46KB

MD5
2dd14afcc7e1566980af3e1485109f9c

SHA1
77fb3de68b63bd8e0a05277dc6b858fa7384a860

SHA256
0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

SHA512
fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
46KB

MD5
2dd14afcc7e1566980af3e1485109f9c

SHA1
77fb3de68b63bd8e0a05277dc6b858fa7384a860

SHA256
0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

SHA512
fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
46KB

MD5
2dd14afcc7e1566980af3e1485109f9c

SHA1
77fb3de68b63bd8e0a05277dc6b858fa7384a860

SHA256
0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

SHA512
fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
46KB

MD5
2dd14afcc7e1566980af3e1485109f9c

SHA1
77fb3de68b63bd8e0a05277dc6b858fa7384a860

SHA256
0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

SHA512
fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
46KB

MD5
2dd14afcc7e1566980af3e1485109f9c

SHA1
77fb3de68b63bd8e0a05277dc6b858fa7384a860

SHA256
0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

SHA512
fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
46KB

MD5
2dd14afcc7e1566980af3e1485109f9c

SHA1
77fb3de68b63bd8e0a05277dc6b858fa7384a860

SHA256
0a9361657db620a5517ff3d39cb49744ce422819f191a637311f2b79fea5802f

SHA512
fe9497d2fae6e8ff677c90d37d00237590f6b48b893dfbec6d7b5dcd473202133836fbcf7f669f4e4442eead15cac557316b4f47e497cc9aa49751927cffc5b0

Download Submit
memory/1316-78-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1648-59-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1648-65-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1648-54-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1648-60-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1648-56-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1772-77-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors