e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de

General

Target

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe
Size

860KB
MD5

d446cc682dc1aaf3811524d796e9c10c
SHA1

6e75979cd990273413d1e20fe45a3e1d73422b77
SHA256

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de
SHA512

ff8db73394fb966f403423ee52fa0155430effe8544ad376799fb812d7cc55805c7beb7ba85b6e74c3ae3116592376f1abe6465a6b6730f7cb926523817160e4
SSDEEP

24576:7Tvtt6UDKwny3EAV1xnDwdfJj50jscibFo1:H1vy0qTohj5pN

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

iwdefender.exe

pid process

2004 iwdefender.exe

Loads dropped DLL 2 IoCs

Processes:

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe

pid	process
1768	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe
1768	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iwdefender.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	iwdefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security = "C:\\ProgramData\\iwdefender.exe"	iwdefender.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

iwdefender.exe

description	ioc	process
File opened (read-only)	\??\Y:	iwdefender.exe
File opened (read-only)	\??\G:	iwdefender.exe
File opened (read-only)	\??\H:	iwdefender.exe
File opened (read-only)	\??\N:	iwdefender.exe
File opened (read-only)	\??\O:	iwdefender.exe
File opened (read-only)	\??\P:	iwdefender.exe
File opened (read-only)	\??\W:	iwdefender.exe
File opened (read-only)	\??\F:	iwdefender.exe
File opened (read-only)	\??\U:	iwdefender.exe
File opened (read-only)	\??\X:	iwdefender.exe
File opened (read-only)	\??\I:	iwdefender.exe
File opened (read-only)	\??\J:	iwdefender.exe
File opened (read-only)	\??\M:	iwdefender.exe
File opened (read-only)	\??\S:	iwdefender.exe
File opened (read-only)	\??\T:	iwdefender.exe
File opened (read-only)	\??\V:	iwdefender.exe
File opened (read-only)	\??\E:	iwdefender.exe
File opened (read-only)	\??\K:	iwdefender.exe
File opened (read-only)	\??\L:	iwdefender.exe
File opened (read-only)	\??\Q:	iwdefender.exe
File opened (read-only)	\??\R:	iwdefender.exe
File opened (read-only)	\??\Z:	iwdefender.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

iwdefender.exe

description ioc process

File opened for modification \??\PhysicalDrive0 iwdefender.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	iwdefender.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exeiwdefender.exe

pid	process
1768	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe

pid process

1768 e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

iwdefender.exe

pid	process
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

iwdefender.exe

pid	process
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe
2004	iwdefender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iwdefender.exe

pid process

2004 iwdefender.exe
2004 iwdefender.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe

description	pid	process	target process
PID 1768 wrote to memory of 2004	1768	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe	iwdefender.exe
PID 1768 wrote to memory of 2004	1768	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe	iwdefender.exe
PID 1768 wrote to memory of 2004	1768	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe	iwdefender.exe
PID 1768 wrote to memory of 2004	1768	e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe	iwdefender.exe

C:\Users\Admin\AppData\Local\Temp\e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe
"C:\Users\Admin\AppData\Local\Temp\e7e175f13efb06b883eadbcf64763d17f82447363ec1806be9bbf751dae200de.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1768

C:\ProgramData\iwdefender.exe
C:\ProgramData\iwdefender.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\iwdefender.exe

Filesize
827KB

MD5
abd57435cadec1d2a1457de28e2a824d

SHA1
dfbf66fdb7adc4bc32cd3e32eb6a686d263d2793

SHA256
55c9c59928ecd307250f16642ae1e2abab9b71d9b04d2867b99135d7753b7eb3

SHA512
2459d411c142a017233c68c873ccc5d320a074b7c7398aa00e9a1ba2ecda5ca0b35bda3411fde8eaf0424a9aa01aa0e38c8784626e807601c7447106f180d322

Download Submit
\ProgramData\iwdefender.exe

Filesize
827KB

MD5
abd57435cadec1d2a1457de28e2a824d

SHA1
dfbf66fdb7adc4bc32cd3e32eb6a686d263d2793

SHA256
55c9c59928ecd307250f16642ae1e2abab9b71d9b04d2867b99135d7753b7eb3

SHA512
2459d411c142a017233c68c873ccc5d320a074b7c7398aa00e9a1ba2ecda5ca0b35bda3411fde8eaf0424a9aa01aa0e38c8784626e807601c7447106f180d322

Download Submit
\ProgramData\iwdefender.exe

Filesize
827KB

MD5
abd57435cadec1d2a1457de28e2a824d

SHA1
dfbf66fdb7adc4bc32cd3e32eb6a686d263d2793

SHA256
55c9c59928ecd307250f16642ae1e2abab9b71d9b04d2867b99135d7753b7eb3

SHA512
2459d411c142a017233c68c873ccc5d320a074b7c7398aa00e9a1ba2ecda5ca0b35bda3411fde8eaf0424a9aa01aa0e38c8784626e807601c7447106f180d322

Download Submit
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1768-55-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1768-62-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2004-58-0x0000000000000000-mapping.dmp

Download
memory/2004-61-0x0000000000400000-0x0000000000A19000-memory.dmp

Filesize
6.1MB

Download
memory/2004-64-0x0000000000400000-0x0000000000A19000-memory.dmp

Filesize
6.1MB

Download
memory/2004-65-0x0000000000400000-0x0000000000A19000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads