92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0

General

Target

92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0.exe
Size

190KB
MD5

0652f1f01e967e3220dbe1954397f221
SHA1

3ab1daa6bf42a31a38d6c25c1968af8fc52f3588
SHA256

92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0
SHA512

9c2deb31d90d3ab8e35de7ac3e5255b453e10066c543eda36f88854461a8e70e28955728f798323ca9673b6787d037447baf02c15dfa5dc2f6f149bdaba505b4
SSDEEP

3072:GtjGnXCrbdXw+XeRlSSfHZTnGsxNnEu+EOLdhLO/mN/I/IL:GtjGSrbdXwYe3SIHZSsxNnEi4jS/mN/t

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\xXmwAOJDXQ.ini	92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0.exe
File created	C:\Windows\system32\drivers\etc\Dy2ehu8R.dll	92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0.exe
File created	C:\Windows\system32\drivers\etc\xXmwAOJDXQ.del	92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRAT_Service\Parameters\ServiceDLL = "C:\\Windows\\system32\\drivers\\etc\\Dy2ehu8R.dll"	92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0.exe

Deletes itself 1 IoCs

pid	Process
1388	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
1416	svchost.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1492	92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0.exe
Token: SeDebugPrivilege	1416	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1388	rundll32.exe
1388	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1388	1416	svchost.exe	28
PID 1416 wrote to memory of 1388	1416	svchost.exe	28
PID 1416 wrote to memory of 1388	1416	svchost.exe	28
PID 1416 wrote to memory of 1388	1416	svchost.exe	28
PID 1416 wrote to memory of 1388	1416	svchost.exe	28
PID 1416 wrote to memory of 1388	1416	svchost.exe	28
PID 1416 wrote to memory of 1388	1416	svchost.exe	28

C:\Users\Admin\AppData\Local\Temp\92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0.exe
"C:\Users\Admin\AppData\Local\Temp\92ac4f64fb94079b74a4c7722a76cc7567cc0a892f26184381c809c97a3fc5c0.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k SRAT_Service
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe c:\windows\system32\drivers\etc\dy2ehu8r.dll,MainWork SRAT_Service
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\xXmwAOJDXQ.del

Filesize
104B

MD5
c171db67518f30316ee405b0095ced86

SHA1
f8271644004068440f36855c9a495ea3235e2a7f

SHA256
be7c9a113438875c33bf0352ac49cbc097ced235924f4bf778ff0fe9a014aa5f

SHA512
a39119a5b4ed4ff63bb32e62938bbdf7f758ec1504ef6339a0b59a62ec8bd5682b574793429d770672c704be89d643677b84d9b7343919e5e1b7db28ca371397

Download Submit
\??\c:\windows\system32\drivers\etc\dy2ehu8r.dll

Filesize
153KB

MD5
873e6c71c7440c1019bb4a42dbb15003

SHA1
2bdbd6ddcfd66bd5f39ed64025210849a657e43e

SHA256
365030ef5a3651c42029157f70d788aded2c2183866ef5e6ce3a60ee3d66d9d0

SHA512
b0531c5d74ebc084c968df25104988ea5b10870815af3c735ef3eaaf9d55368d8f54062ddb05a08e9f1af35ba5bffac3e9286435096cb4b3c948faab31d89956

Download Submit
\Windows\System32\drivers\etc\Dy2ehu8R.dll

Filesize
153KB

MD5
873e6c71c7440c1019bb4a42dbb15003

SHA1
2bdbd6ddcfd66bd5f39ed64025210849a657e43e

SHA256
365030ef5a3651c42029157f70d788aded2c2183866ef5e6ce3a60ee3d66d9d0

SHA512
b0531c5d74ebc084c968df25104988ea5b10870815af3c735ef3eaaf9d55368d8f54062ddb05a08e9f1af35ba5bffac3e9286435096cb4b3c948faab31d89956

Download Submit
\Windows\System32\drivers\etc\Dy2ehu8R.dll

Filesize
153KB

MD5
873e6c71c7440c1019bb4a42dbb15003

SHA1
2bdbd6ddcfd66bd5f39ed64025210849a657e43e

SHA256
365030ef5a3651c42029157f70d788aded2c2183866ef5e6ce3a60ee3d66d9d0

SHA512
b0531c5d74ebc084c968df25104988ea5b10870815af3c735ef3eaaf9d55368d8f54062ddb05a08e9f1af35ba5bffac3e9286435096cb4b3c948faab31d89956

Download Submit
\Windows\System32\drivers\etc\Dy2ehu8R.dll

Filesize
153KB

MD5
873e6c71c7440c1019bb4a42dbb15003

SHA1
2bdbd6ddcfd66bd5f39ed64025210849a657e43e

SHA256
365030ef5a3651c42029157f70d788aded2c2183866ef5e6ce3a60ee3d66d9d0

SHA512
b0531c5d74ebc084c968df25104988ea5b10870815af3c735ef3eaaf9d55368d8f54062ddb05a08e9f1af35ba5bffac3e9286435096cb4b3c948faab31d89956

Download Submit
\Windows\System32\drivers\etc\Dy2ehu8R.dll

Filesize
153KB

MD5
873e6c71c7440c1019bb4a42dbb15003

SHA1
2bdbd6ddcfd66bd5f39ed64025210849a657e43e

SHA256
365030ef5a3651c42029157f70d788aded2c2183866ef5e6ce3a60ee3d66d9d0

SHA512
b0531c5d74ebc084c968df25104988ea5b10870815af3c735ef3eaaf9d55368d8f54062ddb05a08e9f1af35ba5bffac3e9286435096cb4b3c948faab31d89956

Download Submit
\Windows\System32\drivers\etc\Dy2ehu8R.dll

Filesize
153KB

MD5
873e6c71c7440c1019bb4a42dbb15003

SHA1
2bdbd6ddcfd66bd5f39ed64025210849a657e43e

SHA256
365030ef5a3651c42029157f70d788aded2c2183866ef5e6ce3a60ee3d66d9d0

SHA512
b0531c5d74ebc084c968df25104988ea5b10870815af3c735ef3eaaf9d55368d8f54062ddb05a08e9f1af35ba5bffac3e9286435096cb4b3c948faab31d89956

Download Submit
memory/1388-63-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/1416-56-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing