f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd

General

Target

f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe
Size

544KB
MD5

48a90346ad68974abb515a7b47e2a7c8
SHA1

190b1d7dae92d3755a78d88c7bc6f9fd4d0cf155
SHA256

f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd
SHA512

215fae304b840771582fec90ddc27a7b519d6c8b94c3f48a53ea997d2ea8871c2d6ab588117f49b64210f3d42a4498c7dde875ead19effc5d07e0f5e6dd463cd
SSDEEP

12288:HJUzLBeJqq8N1BB+pCqbX3xDUsVlUMMEVCoWzG:HG3BePm1BB+pZnKsVlUMMovT

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1952 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe

description ioc process

File opened for modification \??\PhysicalDrive0 f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe

pid	process
1952	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe

Drops file in Program Files directory 2 IoCs

Processes:

f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe Media Player\assets\iebbbce.jse	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe
File created	C:\Program Files (x86)\DriveTheLife\Drivers\mifffgi.jse	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 41 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\IsShortcut	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers\	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\NeverShowExt	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\NeverShowExt	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers\	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command\ = "WScript.exe /B \"C:\\Program Files (x86)Intel\\Logs\\gczzzac.jse\" \"%1\""	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\IsShortcut	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\ = "????"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll\ = "uqnnnoq"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\ = "open"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll\ = "uqnnnoq"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\ = "????"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\ = "open"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command\ = "WScript.exe /B \"C:\\Program Files (x86)Intel\\Logs\\gczzzac.jse\" \"%1\""	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell	wscript.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe

pid	process
840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe
840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe

description	pid	process	target process
PID 840 wrote to memory of 332	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	wscript.exe
PID 840 wrote to memory of 332	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	wscript.exe
PID 840 wrote to memory of 332	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	wscript.exe
PID 840 wrote to memory of 332	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	wscript.exe
PID 840 wrote to memory of 1036	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	cmd.exe
PID 840 wrote to memory of 1036	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	cmd.exe
PID 840 wrote to memory of 1036	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	cmd.exe
PID 840 wrote to memory of 1036	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	cmd.exe
PID 840 wrote to memory of 1028	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	wscript.exe
PID 840 wrote to memory of 1028	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	wscript.exe
PID 840 wrote to memory of 1028	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	wscript.exe
PID 840 wrote to memory of 1028	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	wscript.exe
PID 840 wrote to memory of 1952	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	cmd.exe
PID 840 wrote to memory of 1952	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	cmd.exe
PID 840 wrote to memory of 1952	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	cmd.exe
PID 840 wrote to memory of 1952	840	f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe
"C:\Users\Admin\AppData\Local\Temp\f6d01fcdf05b6a291cf46efc347b483c07c337d20d9fffff79f8ccd28d8cfacd.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\wscript.exe
wscript.exe /B "C:\Program Files (x86)\DriveTheLife\Drivers\mifffgi.jse"
2⤵
- Modifies registry class
PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$dss.bat
2⤵
PID:1036

C:\Windows\SysWOW64\wscript.exe
wscript.exe /B "C:\Program Files (x86)Intel\Logs\gczzzac.jse" FirstSetup
2⤵
- Modifies registry class
PID:1028

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
2⤵
- Deletes itself
PID:1952

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)Intel\Logs\gczzzac.jse
Filesize
28KB

MD5
0e333bab9dc604f29cd1da6c34bacefa

SHA1
c78094283924e6dd7be6c0304eb74d2bfbd92e01

SHA256
b97bfd684f0fc41fa7f8bdddaa58497f93a1ac60327dc0b18e2c0353146047fe

SHA512
d18022aa87aaa7ad8669d102da828e9e92a3ff3a9a4825799234eb5cdaf13c7dab7863de484a39d21bc10c8b3d9b6b3c94f50472f3823cd79ec423aa029c453f

Download Submit
C:\Program Files (x86)\DriveTheLife\Drivers\mifffgi.jse
Filesize
1KB

MD5
1e4063e05d1eb1ecc08cf945df34d5ce

SHA1
6a78abb59b1b19d0493d8f2487b96688da78cdcf

SHA256
f9a887ddac026115c0dfe4fad564b7caac17c2c7d9237e3bb886cfebccdfd1c8

SHA512
b0f1bf871c692bc73985bf9c6d597b2eac2e7160252f7247b42d2f45544089db0d55df21d41d61eb10f14517a88c6dc59cd9a5fa51d13cc2b01de4da06485e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
Filesize
309B

MD5
357d2484d4ca42007882e82728332b99

SHA1
8169bcba3f0319642525ee450c458843801d1b62

SHA256
9dfd8f1661ffd1f82a00f1127ad298aa4ef00760c4c4834d3905c140291af187

SHA512
51e856bfa8da47176b0ea5be6e56a9a59abbd8a9574ce46622ef03879402762a3314ce6ba5427a76304d3cea508383a21c0aae67b3297fda56e8ff1e6b068667

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dss.bat
Filesize
246B

MD5
b211c858d10413d5a58614b36a4c2c86

SHA1
5c374bd632cc5199c6e73bee53567a6e4f0787e1

SHA256
1ffc57fda104ab8bd80a025624bd558d1b69332f55cb20844c5122c7af0e3654

SHA512
a65ff4d4658fb409f2470cbeef5e128bf6ef439bef9c6dc3046afa19ff731ae349571f0dcf50dc20932f3508e43049a3a9455a9a4d6861b3a7fb1f312a5d3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaoBao.tmp
Filesize
143B

MD5
fdbe75eee63e579fc4d54d5e96ffdc05

SHA1
6e4e0665f4ef8f058f815d9457f55d1fd1b1681e

SHA256
4434bbb1a63da852a06a95cae272a9387e045f2327f1aa71b10e8e524761ff44

SHA512
2a478daeded3250d3dfa1ac0d8d3f6fe763bccd29d8b116e4b7db5e28f6c2ba6cf5d19e44db1e1c4a4f10df5aab87c1196c8140b5bcc34a997853f6b971a2f8b

Download Submit
memory/332-56-0x0000000000000000-mapping.dmp

Download
memory/840-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/840-55-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/840-66-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1028-61-0x0000000000000000-mapping.dmp

Download
memory/1036-58-0x0000000000000000-mapping.dmp

Download
memory/1952-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads