da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21

General

Target

da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe
Size

645KB
MD5

21bf0f60d664e70c41f6b8e82a7bb131
SHA1

5d63d5afe4d290ee059ed022b836e3b94ceaf05c
SHA256

da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21
SHA512

10b706370a434089ea3e1af182fcb30b03ce4d106e405f838fe54d4201c3e77bf5a9517c9a4c8f4607da8ef12f3d396af0a4f9916a64b37025ba2429cdb7ef08
SSDEEP

12288:eRRbwLC2zgOEntneFQxale36HmQTvtYUYIGCw/8PT4gwDG3Kgt7o9:wMn0OE5Se36rTms13JK9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3404	H576S7OcbFMSL4lbA6c9.exe
4340	job.exe
1664	joc.exe

Loads dropped DLL 1 IoCs

pid	Process
2168	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vkabamabimonus = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Wicoxyt.dll\",Startup"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\physicaldrive0	job.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3404	H576S7OcbFMSL4lbA6c9.exe
3404	H576S7OcbFMSL4lbA6c9.exe
3404	H576S7OcbFMSL4lbA6c9.exe
3404	H576S7OcbFMSL4lbA6c9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4340	job.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3404	H576S7OcbFMSL4lbA6c9.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3404	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	83
PID 1344 wrote to memory of 3404	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	83
PID 1344 wrote to memory of 3404	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	83
PID 1344 wrote to memory of 4340	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	84
PID 1344 wrote to memory of 4340	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	84
PID 1344 wrote to memory of 4340	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	84
PID 1344 wrote to memory of 1664	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	85
PID 1344 wrote to memory of 1664	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	85
PID 1344 wrote to memory of 1664	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	85
PID 1344 wrote to memory of 3260	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	86
PID 1344 wrote to memory of 3260	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	86
PID 1344 wrote to memory of 3260	1344	da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe	86
PID 1664 wrote to memory of 2168	1664	joc.exe	88
PID 1664 wrote to memory of 2168	1664	joc.exe	88
PID 1664 wrote to memory of 2168	1664	joc.exe	88

C:\Users\Admin\AppData\Local\Temp\da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe
"C:\Users\Admin\AppData\Local\Temp\da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\H576S7OcbFMSL4lbA6c9.exe
  H576S7OcbFMSL4lbA6c9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3404
- C:\Users\Admin\job.exe
  job.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Users\Admin\joc.exe
  joc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Wicoxyt.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del da00c82da43264827e5c7a7dad7a1baa9ba5097e20eceecaf675920149531d21.exe
  2⤵
  PID:3260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Wicoxyt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
C:\Users\Admin\AppData\Local\Wicoxyt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
C:\Users\Admin\H576S7OcbFMSL4lbA6c9.exe

Filesize
132KB

MD5
c17630f33b3ae8508ee24c2f910ebc8e

SHA1
66b9dcea656feb35234fe35a6c1d831b06f665a2

SHA256
d8013736d35ec810f213d09270f2bbd3f87505900cc8ed4d16d6c18eafcad9fb

SHA512
ca256e72ccdf366bc1801f56dc3724dea1b7cdcc546627f199aeb7abbf2ad25b3162a238d375da404117417cab021f5794f431e1b5220804451655e2f9375a51

Download Submit
C:\Users\Admin\H576S7OcbFMSL4lbA6c9.exe

Filesize
132KB

MD5
c17630f33b3ae8508ee24c2f910ebc8e

SHA1
66b9dcea656feb35234fe35a6c1d831b06f665a2

SHA256
d8013736d35ec810f213d09270f2bbd3f87505900cc8ed4d16d6c18eafcad9fb

SHA512
ca256e72ccdf366bc1801f56dc3724dea1b7cdcc546627f199aeb7abbf2ad25b3162a238d375da404117417cab021f5794f431e1b5220804451655e2f9375a51

Download Submit
C:\Users\Admin\job.exe

Filesize
177KB

MD5
2f0c6d4c58ed356e8ca16499260250fd

SHA1
5351a4d7e65ee768b49ceb7885ebfc1efc53d10d

SHA256
8b92d5a0b0b480ead51f60df0b2638ee214f71152bcb3dfad0509b2b0fc956b9

SHA512
1bb21b0b0bd80017e12f83b153826f4f93ea8550c7810ba34671e20231e3303977466e73081df3969db43c40b4217eeb52968eb01a87ace0dfa2e2b01d6e7ed0

Download Submit
C:\Users\Admin\job.exe

Filesize
177KB

MD5
2f0c6d4c58ed356e8ca16499260250fd

SHA1
5351a4d7e65ee768b49ceb7885ebfc1efc53d10d

SHA256
8b92d5a0b0b480ead51f60df0b2638ee214f71152bcb3dfad0509b2b0fc956b9

SHA512
1bb21b0b0bd80017e12f83b153826f4f93ea8550c7810ba34671e20231e3303977466e73081df3969db43c40b4217eeb52968eb01a87ace0dfa2e2b01d6e7ed0

Download Submit
C:\Users\Admin\joc.exe

Filesize
109KB

MD5
f917c58a1f8d689408f37eac2e9765a7

SHA1
e1d5cbbbf0cc0953f89ab8dd873307a78988485a

SHA256
d4e1b453dc70d6296e90cf0c2bc6d3ca265e1e899078d4eaec79d2dc0199909c

SHA512
119b92c1824c96337606b833bd971feaad5a20815994d4cffcd441d358b847101295c78fff456997b311af457a09c187658d517d8486177ecf72f0b0212c52d0

Download Submit
C:\Users\Admin\joc.exe

Filesize
109KB

MD5
f917c58a1f8d689408f37eac2e9765a7

SHA1
e1d5cbbbf0cc0953f89ab8dd873307a78988485a

SHA256
d4e1b453dc70d6296e90cf0c2bc6d3ca265e1e899078d4eaec79d2dc0199909c

SHA512
119b92c1824c96337606b833bd971feaad5a20815994d4cffcd441d358b847101295c78fff456997b311af457a09c187658d517d8486177ecf72f0b0212c52d0

Download Submit
memory/1664-143-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1664-145-0x00000000023F1000-0x00000000023FF000-memory.dmp

Filesize
56KB

Download
memory/2168-151-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2168-154-0x0000000003011000-0x000000000301F000-memory.dmp

Filesize
56KB

Download
memory/4340-144-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4340-142-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4340-152-0x0000000000530000-0x0000000000589000-memory.dmp

Filesize
356KB

Download
memory/4340-153-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4340-155-0x0000000000530000-0x0000000000589000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing