2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe

General

Target

2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe
Size

856KB
MD5

807ee77c2370a0cf7670d5088c726fb0
SHA1

5d6cb95f43d4650bbc11b6770f6538f26899b648
SHA256

2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe
SHA512

6d7b0ab78b8123281f0267e90c6a51355970c0b4f6da90ee21fa10e55098fbba22d94e7ca216662a50007560588f1cc3991d71c47c9609272fa980780503ef03
SSDEEP

6144:nOu1qYWNJEI0l6wB5i5SKCWWEIqeaNIqPK8g/O6dczt16bVQRtVcp7:nOKl80l6wB5i5C2LKqC8gxij4EtVg7

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	msmsgs.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msmsgs.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\PCIDump.sys	msmsgs.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\PCIDump.sys	msmsgs.exe

Executes dropped EXE 1 IoCs

pid	Process
4264	msmsgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	msmsgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\debugger = "C:\\Config.Msi\\5ce97.rbf.exe"	msmsgs.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	msmsgs.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\HTML Help Workshop\RCX2A5C.tmp	2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe
File opened for modification	C:\Program Files (x86)\HTML Help Workshop\RCX2A9B.tmp	2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe
File opened for modification	C:\Program Files (x86)\HTML Help Workshop\RCX2AAC.tmp	2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe
File created	C:\Program Files (x86)\HTML Help Workshop\msmsgs.exe	2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe
File opened for modification	C:\Program Files (x86)\HTML Help Workshop\msmsgs.exe	2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msmsgs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msmsgs.exe

Runs net.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4264	4248	2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe	81
PID 4248 wrote to memory of 4264	4248	2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe	81
PID 4248 wrote to memory of 4264	4248	2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe	81
PID 4264 wrote to memory of 4928	4264	msmsgs.exe	82
PID 4264 wrote to memory of 4928	4264	msmsgs.exe	82
PID 4264 wrote to memory of 4928	4264	msmsgs.exe	82
PID 4928 wrote to memory of 3624	4928	cmd.exe	84
PID 4928 wrote to memory of 3624	4928	cmd.exe	84
PID 4928 wrote to memory of 3624	4928	cmd.exe	84
PID 3624 wrote to memory of 4956	3624	net.exe	85
PID 3624 wrote to memory of 4956	3624	net.exe	85
PID 3624 wrote to memory of 4956	3624	net.exe	85

C:\Users\Admin\AppData\Local\Temp\2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe
"C:\Users\Admin\AppData\Local\Temp\2f512d064c0ffa858d4c962f3a64864ce58fccc03168d5cb68f632d9a6024ebe.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Program Files (x86)\HTML Help Workshop\msmsgs.exe
  "C:\Program Files (x86)\HTML Help Workshop\msmsgs.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c net user guest /active
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\net.exe
      net user guest /active
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user guest /active
        5⤵
        
        PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTML Help Workshop\msmsgs.exe

Filesize
856KB

MD5
651141f4c0c140cdc0232b516ecb94bb

SHA1
4e7b3ac99131ad070fa34a5d033478b7a0e058ab

SHA256
f4256f084c0dc2d9e8c5c2e5aac2cd217f4ba203b17aa27062e1d338039e3dcf

SHA512
fc35e645e65606f3343cb4cf5cce4f08969dcfc4e5331f0f82e1c9dbc90032d8154d7a2cdc1eb75109b063c90823eb88b608f15c6885f2e1408cad3048f3e3d9

Download Submit
C:\Program Files (x86)\HTML Help Workshop\msmsgs.exe

Filesize
856KB

MD5
651141f4c0c140cdc0232b516ecb94bb

SHA1
4e7b3ac99131ad070fa34a5d033478b7a0e058ab

SHA256
f4256f084c0dc2d9e8c5c2e5aac2cd217f4ba203b17aa27062e1d338039e3dcf

SHA512
fc35e645e65606f3343cb4cf5cce4f08969dcfc4e5331f0f82e1c9dbc90032d8154d7a2cdc1eb75109b063c90823eb88b608f15c6885f2e1408cad3048f3e3d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads