f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180

General

Target

f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe
Size

469KB
MD5

367e055710aafdb153b0487b26fb0ef0
SHA1

c4ef0c0c9bf647893bf24d4ebcc0ce778e0afc94
SHA256

f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180
SHA512

2a7bce666dac94b7f8f0590870ad1fe952a0e71078fd6de4517fb17af991016a318cf3a00b8209676bdcbfc23af0c9c32c031358fde2ac1beafbe315d4776f8b
SSDEEP

12288:95k+q39RdHC+b/X3jAg82O9J9TxbWCFeMeYwqFI7W:9CltDHPj7c7NbWrMeYwqcW

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

GHFHGJHNSSJDW.exe

pid process

960 GHFHGJHNSSJDW.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

624 cmd.exe

pid	process
960	GHFHGJHNSSJDW.exe

pid	process
624	cmd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exeGHFHGJHNSSJDW.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe
File opened for modification	\??\PhysicalDrive0	GHFHGJHNSSJDW.exe

Drops file in Windows directory 3 IoCs

Processes:

f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe

description	ioc	process
File opened for modification	C:\Windows\GHFHGJHNSSJDW.exe	f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe
File created	C:\Windows\HKFX2008.BAT	f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe
File created	C:\Windows\GHFHGJHNSSJDW.exe	f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exeGHFHGJHNSSJDW.exe

description	pid	process
Token: SeDebugPrivilege	2012	f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe
Token: SeDebugPrivilege	960	GHFHGJHNSSJDW.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

GHFHGJHNSSJDW.exe

pid process

960 GHFHGJHNSSJDW.exe

pid	process
960	GHFHGJHNSSJDW.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

GHFHGJHNSSJDW.exef73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe

description	pid	process	target process
PID 960 wrote to memory of 1704	960	GHFHGJHNSSJDW.exe	IEXPLORE.EXE
PID 960 wrote to memory of 1704	960	GHFHGJHNSSJDW.exe	IEXPLORE.EXE
PID 960 wrote to memory of 1704	960	GHFHGJHNSSJDW.exe	IEXPLORE.EXE
PID 960 wrote to memory of 1704	960	GHFHGJHNSSJDW.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 624	2012	f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe	cmd.exe
PID 2012 wrote to memory of 624	2012	f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe	cmd.exe
PID 2012 wrote to memory of 624	2012	f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe	cmd.exe
PID 2012 wrote to memory of 624	2012	f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe
"C:\Users\Admin\AppData\Local\Temp\f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\HKFX2008.BAT
2⤵
- Deletes itself
PID:624

C:\Windows\GHFHGJHNSSJDW.exe
C:\Windows\GHFHGJHNSSJDW.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:960

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GHFHGJHNSSJDW.exe
Filesize
469KB

MD5
367e055710aafdb153b0487b26fb0ef0

SHA1
c4ef0c0c9bf647893bf24d4ebcc0ce778e0afc94

SHA256
f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180

SHA512
2a7bce666dac94b7f8f0590870ad1fe952a0e71078fd6de4517fb17af991016a318cf3a00b8209676bdcbfc23af0c9c32c031358fde2ac1beafbe315d4776f8b

Download Submit
C:\Windows\GHFHGJHNSSJDW.exe
Filesize
469KB

MD5
367e055710aafdb153b0487b26fb0ef0

SHA1
c4ef0c0c9bf647893bf24d4ebcc0ce778e0afc94

SHA256
f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180

SHA512
2a7bce666dac94b7f8f0590870ad1fe952a0e71078fd6de4517fb17af991016a318cf3a00b8209676bdcbfc23af0c9c32c031358fde2ac1beafbe315d4776f8b

Download Submit
C:\Windows\HKFX2008.BAT
Filesize
254B

MD5
865d230ef518f60b9b97d9e363067bb7

SHA1
6943a8d22a7cb62201af82c968061c01478a065d

SHA256
ea412ca90fbfdb0ea2dab8b9450a1e88bb7f752038662df3320cad7c68f96f71

SHA512
2cab143f9537d049c1edcc143f71ff93f6cbab807cc26d005838b88914f8c01afe16bf7b2ca2393cb1a8672ee8c59e3078ba475c410f9524800409addcf1c779

Download Submit
memory/624-60-0x0000000000000000-mapping.dmp

Download
memory/960-63-0x0000000001CB0000-0x0000000001CEA000-memory.dmp

Filesize
232KB

Download
memory/960-62-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/960-64-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2012-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2012-56-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads