34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

Reason

Machine shutdown

General

Target

34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
Size

61KB
MD5

806a39814a00be8d47d945c10884df0c
SHA1

1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7
SHA256

34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7
SHA512

9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc
SSDEEP

768:XJrkANtWy6T13GXcda9ZQLkr8fRjj42c6TmYAFaK6x7Ix2uAfLiox613KXJT1Bmj:Fj0ZWOsskrH2GFaK6BiAfLiwXJfF8Ey

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1616	x2z8.exe
1344	x2z8.exe

Deletes itself 1 IoCs

pid	Process
1344	x2z8.exe

Loads dropped DLL 3 IoCs

pid	Process
916	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
916	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
1616	x2z8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
File opened for modification	\??\PHYSICALDRIVE0	x2z8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 992 set thread context of 916	992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	27
PID 1616 set thread context of 1344	1616	x2z8.exe	29

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1344	x2z8.exe
Token: 33	1492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1492	AUDIODG.EXE
Token: 33	1492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1492	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
1616	x2z8.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 916	992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	27
PID 992 wrote to memory of 916	992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	27
PID 992 wrote to memory of 916	992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	27
PID 992 wrote to memory of 916	992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	27
PID 992 wrote to memory of 916	992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	27
PID 992 wrote to memory of 916	992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	27
PID 992 wrote to memory of 916	992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	27
PID 992 wrote to memory of 916	992	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	27
PID 916 wrote to memory of 1616	916	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	28
PID 916 wrote to memory of 1616	916	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	28
PID 916 wrote to memory of 1616	916	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	28
PID 916 wrote to memory of 1616	916	34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe	28
PID 1616 wrote to memory of 1344	1616	x2z8.exe	29
PID 1616 wrote to memory of 1344	1616	x2z8.exe	29
PID 1616 wrote to memory of 1344	1616	x2z8.exe	29
PID 1616 wrote to memory of 1344	1616	x2z8.exe	29
PID 1616 wrote to memory of 1344	1616	x2z8.exe	29
PID 1616 wrote to memory of 1344	1616	x2z8.exe	29
PID 1616 wrote to memory of 1344	1616	x2z8.exe	29
PID 1616 wrote to memory of 1344	1616	x2z8.exe	29

C:\Users\Admin\AppData\Local\Temp\34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
"C:\Users\Admin\AppData\Local\Temp\34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7.exe
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
    C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
      4⤵
      Executes dropped EXE
      Deletes itself
      Writes to the Master Boot Record (MBR)
      Suspicious use of AdjustPrivilegeToken
      PID:1344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.txt

Filesize
102B

MD5
a4395beb57a41073c8f6e3c4876e41f8

SHA1
1661f22d2c967402c9fb7fc4c318a6ea164452d7

SHA256
dcd004e5e59e94e9e34a7814c9eda856f971faad2d30da1d1f9af1afc23ff193

SHA512
a89c71b1db57e72189e6e021c22620e9af8bcb83a18cf4e378cafedd4807933a49d05cf0e8c797d5ff3a6a868e79cb9f203ca77b412b55b0466ceccf6f30ec90

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
61KB

MD5
806a39814a00be8d47d945c10884df0c

SHA1
1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7

SHA256
34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

SHA512
9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
61KB

MD5
806a39814a00be8d47d945c10884df0c

SHA1
1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7

SHA256
34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

SHA512
9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
61KB

MD5
806a39814a00be8d47d945c10884df0c

SHA1
1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7

SHA256
34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

SHA512
9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
61KB

MD5
806a39814a00be8d47d945c10884df0c

SHA1
1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7

SHA256
34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

SHA512
9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
61KB

MD5
806a39814a00be8d47d945c10884df0c

SHA1
1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7

SHA256
34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

SHA512
9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
61KB

MD5
806a39814a00be8d47d945c10884df0c

SHA1
1573da7e9e237afc2b5f67b5e4cc8b6796dd4fd7

SHA256
34f45c8c60ab47b517940fe95d7f6ac2c5a668db841b426cec8d8c64d8d5fdb7

SHA512
9329d38299f30ab3afc7295f9e95bb9f85d3a6122c3d8c4619cd3f3f64094a2615118a95b6907deeeecaf87c250230b0766e3396474c093a4137c151e7ac87dc

Download Submit
memory/636-85-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/916-68-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/916-64-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/916-63-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/916-56-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/916-60-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/916-58-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/916-57-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1344-86-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

Errors