359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce

General

Target

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
Size

13.4MB
MD5

3143c00032a1ea047a24e780d1369e47
SHA1

3a3eddc54315f398642d707a345f8b2903e3abd9
SHA256

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce
SHA512

6c62dcc936c8c9f433469fbb1dd068be50f43ca9053a9ee7435859aed6a5bde1134c1bda1e8dd469e0805b95107bf89ebc730673b2d069959de7e820a4c14d83
SSDEEP

196608:dcepE527eDHmo4O8vUnIO+p+zRCND2uxLFx/CaGcmQjr138TvgFyQeQA:dceC5cS0OQUnbe9xLL6wmQMgJ7A

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

G40458_s_0529.exepcservice.exe

pid process

1684 G40458_s_0529.exe
4252 pcservice.exe

pid	process
1684	G40458_s_0529.exe
4252	pcservice.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exepcservice.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
File opened for modification	\??\PhysicalDrive0	pcservice.exe

Drops file in System32 directory 5 IoCs

Processes:

pcservice.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pcservice.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pcservice.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pcservice.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	pcservice.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\cityjson[1].txt	pcservice.exe

Drops file in Program Files directory 3 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

description	ioc	process
File opened for modification	C:\Program Files\58611	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
File created	C:\Program Files\58611\G40458_s_0529.exe	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
File created	C:\Program Files\58611\pcservice.exe	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

Drops file in Windows directory 1 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

description ioc process

File opened for modification C:\windows\pc58611.dll 359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

description	ioc	process
File opened for modification	C:\windows\pc58611.dll	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

pcservice.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pcservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	pcservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	pcservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	pcservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	pcservice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pcservice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pcservice.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pcservice.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exepcservice.exe

pid	process
3456	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
3456	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
4252	pcservice.exe
4252	pcservice.exe
4252	pcservice.exe
4252	pcservice.exe
4252	pcservice.exe
4252	pcservice.exe
4252	pcservice.exe
4252	pcservice.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exepcservice.exe

pid	process
3456	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
3456	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
4252	pcservice.exe
4252	pcservice.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exeG40458_s_0529.exe

description	pid	process	target process
PID 3456 wrote to memory of 1684	3456	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe	G40458_s_0529.exe
PID 3456 wrote to memory of 1684	3456	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe	G40458_s_0529.exe
PID 3456 wrote to memory of 1684	3456	359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe	G40458_s_0529.exe
PID 1684 wrote to memory of 4968	1684	G40458_s_0529.exe	pcaui.exe
PID 1684 wrote to memory of 4968	1684	G40458_s_0529.exe	pcaui.exe

C:\Users\Admin\AppData\Local\Temp\359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe
"C:\Users\Admin\AppData\Local\Temp\359d49736d20b77c00223a67f143c7ee103eee25aa32a84934d41bd48e059dce.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456

C:\Program Files\58611\G40458_s_0529.exe
"C:\Program Files\58611\G40458_s_0529.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\pcaui.exe
"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {1ec14616-f36a-4387-8d3a-63d7c1198de5} -a "百度杀毒" -v "百度在线网络技术（北京）有限公司" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 866301 -k 0 -e "C:\Program Files\58611\G40458_s_0529.exe"
3⤵
PID:4968

C:\Program Files\58611\pcservice.exe
"C:\Program Files\58611\pcservice.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\58611\G40458_s_0529.exe

Filesize
11.7MB

MD5
0ae79089d0ad62f542b8895c229cb4b6

SHA1
fd64d068d10708472e62693f18fd4e00f728e659

SHA256
8d0bbe035f96bb9ad2f7a2057d96f29ebb4ce0cc559526fe2cf5c00a154898f5

SHA512
a7b6aa49403e14bcdf74156b391ebecf0b0c7e62d243a8e3198a5e54997dbf6d550670326b955d1f873ebf7715f079090b5aa6b52521193a7ceb9e8ee22ee339

Download Submit
C:\Program Files\58611\G40458_s_0529.exe

Filesize
11.7MB

MD5
0ae79089d0ad62f542b8895c229cb4b6

SHA1
fd64d068d10708472e62693f18fd4e00f728e659

SHA256
8d0bbe035f96bb9ad2f7a2057d96f29ebb4ce0cc559526fe2cf5c00a154898f5

SHA512
a7b6aa49403e14bcdf74156b391ebecf0b0c7e62d243a8e3198a5e54997dbf6d550670326b955d1f873ebf7715f079090b5aa6b52521193a7ceb9e8ee22ee339

Download Submit
C:\Program Files\58611\pcservice.exe

Filesize
737KB

MD5
54e53cb2da0a70824360de17963e3dfe

SHA1
bf46661e598cb57665bbeca746851cc5a2571c8d

SHA256
c9fe0d020a62289fce963cfc14958faf9c0940cdb55a03ae3248a2ac72ba4e52

SHA512
c7281da03bb42e6c548aec1ae496b8e6df9835f8d3135f10c697af952cb3b7f1f42ab4b89ffd109931df0653355bfacd36cabf0be34282352c480e309fe2fbdf

Download Submit
C:\Program Files\58611\pcservice.exe

Filesize
737KB

MD5
54e53cb2da0a70824360de17963e3dfe

SHA1
bf46661e598cb57665bbeca746851cc5a2571c8d

SHA256
c9fe0d020a62289fce963cfc14958faf9c0940cdb55a03ae3248a2ac72ba4e52

SHA512
c7281da03bb42e6c548aec1ae496b8e6df9835f8d3135f10c697af952cb3b7f1f42ab4b89ffd109931df0653355bfacd36cabf0be34282352c480e309fe2fbdf

Download Submit
C:\windows\pc58611.dll

Filesize
165B

MD5
dcf2e558a5dd2e61a374357f16bd6ec3

SHA1
0abc521324ab049c6b0d387efc28c3f4c8ef3c78

SHA256
c66e13d60d95d36186da7da8f4e9215e5b2468fe1704fdf5c4459fd8a4867c94

SHA512
8fe8c4fc357d1813234b36a60281d5ef3ff7b8ffb12f3d22bfe0b0db6c9061043da0599f99d88ada396fb199e70f2fdaafa56bbeb021a8021eac54406d4c026e

Download Submit
memory/1684-135-0x0000000000000000-mapping.dmp

Download
memory/3456-132-0x0000000000400000-0x00000000011C6000-memory.dmp

Filesize
13.8MB

Download
memory/3456-134-0x0000000000400000-0x00000000011C6000-memory.dmp

Filesize
13.8MB

Download
memory/3456-133-0x0000000002FA0000-0x0000000003000000-memory.dmp

Filesize
384KB

Download
memory/3456-142-0x0000000000400000-0x00000000011C6000-memory.dmp

Filesize
13.8MB

Download
memory/4252-143-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4252-144-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4968-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads