98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2

General

Target

98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2.exe
Size

259KB
MD5

8eb97b78cadd1ef96f31428f5a356a7a
SHA1

5aa6e9966322998843a3e675273c54d9c001cb75
SHA256

98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2
SHA512

face228ed19f11d7a0eff721b4118668da54d8b3bfe39ce55b49864cdbd6365954349b2471fdf477c6dbd92cb606a19ff1b779cb91e186dc14be4844d417479e
SSDEEP

6144:160Erpa3KDcoqrAQVSMjrkLT10oO1JxrsyY5kDg:16DrpWAcoqrASkl0osjr9YCc

Score

8^/10

bootkit persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Provisioninger\Parameters\ServiceDLL = "C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\it1tWt1R.dll"	98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2.exe

Deletes itself 1 IoCs

pid	Process
820	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
820	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1652	98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2.exe
820	svchost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\o6DEzVEhMj.ini	98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it1tWt1R.dll	98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\o6DEzVEhMj.del	98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
820	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
820	svchost.exe
820	svchost.exe

C:\Users\Admin\AppData\Local\Temp\98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2.exe
"C:\Users\Admin\AppData\Local\Temp\98ba7942b008954282475a4f1d2d7d55b88851dcd3a62f59761c0275c23b25c2.exe"
1⤵
- Sets DLL path for service in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\o6DEzVEhMj.del

Filesize
104B

MD5
12078fd4891effe184383a2a58b843fd

SHA1
84af13e68dafe2c96331ce015eea1e87fc641057

SHA256
23b6617a9542075da78409af307c9fcb9f29abd1ee6b93d84e6f3f6278b66d9b

SHA512
3372946eb527401a4ed4d36ae35c3d470ac04016a97007045904e12f07cc7b5375dddb74e0c162aa79898075c6ee4bc9e6dcf5623d1238118f25f34c7ee64849

Download Submit
\??\c:\program files\common files\microsoft shared\msinfo\it1twt1r.dll

Filesize
173KB

MD5
20a2804da96fced6b785ae509d2bd5d8

SHA1
1852744885cc5fec7cdc985cc092852792049b32

SHA256
c2f420504efd37a132543b32ef8ff5216371f65c890c82dd0222cf0aa8cc4439

SHA512
6d948c57bd3b3465ffa5073f4f1fbfd0e0c44b7fa060eb242b12d7c86c2e520490c5c3d249cfe60509955962bfc43530af56be3263f94110fd8787fed37872f6

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\it1tWt1R.dll

Filesize
173KB

MD5
20a2804da96fced6b785ae509d2bd5d8

SHA1
1852744885cc5fec7cdc985cc092852792049b32

SHA256
c2f420504efd37a132543b32ef8ff5216371f65c890c82dd0222cf0aa8cc4439

SHA512
6d948c57bd3b3465ffa5073f4f1fbfd0e0c44b7fa060eb242b12d7c86c2e520490c5c3d249cfe60509955962bfc43530af56be3263f94110fd8787fed37872f6

Download Submit
memory/820-58-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/820-59-0x0000000001BA1000-0x0000000001BBF000-memory.dmp

Filesize
120KB

Download
memory/820-61-0x0000000001BA0000-0x0000000001BFE000-memory.dmp

Filesize
376KB

Download
memory/820-64-0x0000000001BA0000-0x0000000001BFE000-memory.dmp

Filesize
376KB

Download
memory/1652-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1652-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing