aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c

General

Target

aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Size

352KB
MD5

64c3606a8bc9cbb1708fb3dbe8ffd0c1
SHA1

81273933050e06aaf19972e9f089e140c42516da
SHA256

aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c
SHA512

896f9365e4833b37f39a3819cd9c36d2d5671406bbc1f646a99977130a06317617ee5d1fec9113ff509c251eabc6d1d71928139140d89039b874b399379433e4
SSDEEP

6144:ExgEVdGJoM4PYJ6fQy++AIw8ZqqJn+aCyIK3ccnMxjOFUd:OgSWorYJqQMzfpW1K3Dns3d

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe

description ioc process

File opened for modification \??\PhysicalDrive0 aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe

Modifies registry class 36 IoCs

Processes:

aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\0\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\HELPDIR\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\ = "Corok object"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\0\win32\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\FLAGS\ = "0"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\VersionIndependentProgID\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\InprocServer32\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\ProgID\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\InprocServer32	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\Version	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\ProgID	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\0	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\FLAGS\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\HELPDIR	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\HELPDIR\ = "%SystemRoot%\\HELP"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\ProgID\ = "TpcCom.UserLexiconManager.1"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\TypeLib\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\TypeLib\ = "{998108C9-A698-E626-2ED9-24229333058B}"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\Version\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\VersionIndependentProgID\ = "TpcCom.UserLexiconManager"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\0\win32\ = "%CommonProgramFiles%\\System\\ado\\msado21.tlb"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\FLAGS	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\Version\ = "1.5"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\TypeLib	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE384E7E-337E-4BFC-3A9A-33E66A320623}\VersionIndependentProgID	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\ = "Microsoft ActiveX Data Objects 2.1 Library"	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{998108C9-A698-E626-2ED9-24229333058B}\2.1\0\win32	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe

pid process

576 aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe

pid	process
576	aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe

C:\Users\Admin\AppData\Local\Temp\aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe
"C:\Users\Admin\AppData\Local\Temp\aa1c59429a48fccf189c83ba3b2c2982624980e7c900bc257a345cbeb80fb76c.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-54-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download
memory/576-55-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing