f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45

General

Target

f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Size

351KB
MD5

8b4f124967a4a479429b518f5f88c6d8
SHA1

0a956acaa75973389464355f491243a53083902f
SHA256

f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45
SHA512

24754725b72bf6df7b71106db8a2b0c6ffeda1d4758d1ac8bf4af352b55363a319a8ef24c3c1e0cd2e6fec6670571adfdf39641c6b153b9e5b97c2bda5b5ba5f
SSDEEP

6144:8ofL8p8yh2zBoAlsQAwz/82Ev8B/Wn+aCyIK3ccnMxjqLqTaoVv:S2toAlsZ6EvI/OW1K3DnsSqTJVv

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe

description ioc process

File opened for modification \??\PhysicalDrive0 f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe

Modifies registry class 46 IoCs

Processes:

f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\ProgID\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\HTMLControl	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\MiscStatus	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\ToolboxBitmap32	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\0	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\HELPDIR\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPPT.OLB"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\HELPDIR\ = "[{91493440-5A91-11CF-8700-00AA0060263B}]"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\DefaultIcon	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\DefaultIcon\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\InprocServer32\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\MiscStatus\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\0\win32\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\Version	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\ = "Bihepaw Giwol"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\ProgID\ = "Forms.HTML:Image.1"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\Version\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\FM20.DLL"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\ProgID	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\TypeLib\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\TypeLib\ = "{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\HTMLControl\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\InprocServer32	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\0\win32	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\TypeLib	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\0\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\HELPDIR	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\Implemented Categories	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\Implemented Categories\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\MiscStatus\ = "657809"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\FM20.DLL, 285"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\ = "Microsoft PowerPoint 14.0 Object Library"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\Version\ = "2.0"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\DefaultIcon\ = "C:\\Windows\\SysWOW64\\FM20.DLL,0"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DC268FD-D5BF-4C2C-61BA-14BDC554040A}\ToolboxBitmap32\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\FLAGS	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\FLAGS\	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12E4D446-0A22-DC7B-AABA-3D8ABDEE663F}\2.a\FLAGS\ = "0"	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe

pid process

1324 f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe

pid	process
1324	f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe

C:\Users\Admin\AppData\Local\Temp\f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe
"C:\Users\Admin\AppData\Local\Temp\f96b7e492a2653887623c9242c2f96cb434e535618af3bded7fe75058a5f4a45.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-54-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/1324-55-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing