709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e

General

Target

709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
Size

280KB
MD5

6cd663ae039eee60a5ff6673809242c4
SHA1

48e6c30840a6712e877433e71099151e64f5ec0a
SHA256

709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e
SHA512

ee03459f79eaf7f28cdbbb163d9e5ff0096afe506a186998706edc0109d97dcea308e46e9e7e715529ed9de59e23856764d1429fb9d3eb68addf327f00354485
SSDEEP

6144:+JQ8lUCPiwcjqljxrIw+0PqkunR5HbasB5:xiiwioj6KxunR1a

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

description ioc process

File opened for modification \??\PhysicalDrive0 709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

description	pid	process	target process
PID 1672 set thread context of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 set thread context of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

pid process

624 709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

description pid process

Token: SeDebugPrivilege 624 709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

pid	process
624	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

description	pid	process
Token: SeDebugPrivilege	624	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

pid	process
1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

C:\Users\Admin\AppData\Local\Temp\709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
"C:\Users\Admin\AppData\Local\Temp\709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
"C:\Users\Admin\AppData\Local\Temp\709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
"C:\Users\Admin\AppData\Local\Temp\709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-80-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/624-86-0x0000000000290000-0x00000000002DF000-memory.dmp

Filesize
316KB

Download
memory/624-85-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/624-82-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/624-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/624-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/624-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/624-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/624-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/624-70-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/624-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/624-77-0x0000000000410910-mapping.dmp

Download
memory/1420-63-0x0000000000401768-mapping.dmp

Download
memory/1420-79-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1420-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1420-62-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1420-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1420-59-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

description	pid	process	target process
PID 1672 wrote to memory of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1672 wrote to memory of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1672 wrote to memory of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1672 wrote to memory of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1672 wrote to memory of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1672 wrote to memory of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1672 wrote to memory of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1672 wrote to memory of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1672 wrote to memory of 1420	1672	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe
PID 1420 wrote to memory of 624	1420	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe	709653c23fe559890886a609ce1a7b58c96acbded32504603eb47f44c7c3084e.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads