e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0

General

Target

e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
Size

140KB
MD5

0d22a7daa73eb03d96df1d78fd4eea0f
SHA1

b3996401c0758f0560674c033b43de41e27303bf
SHA256

e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0
SHA512

38fc9b781d497c0fe3656c245e1569bc733e169aea77676ab782e3eae1c28f9a72ab324e9cc6d006e42cbe480bf119b16003bd076c334d8a056122f26f6346cd
SSDEEP

3072:d15ecfqXx11utwPGT+MKruQ/J06p6b7R+9WH:8iqBU8GT3KruQ/J06f

Score

7^/10

bootkit persistence

Malware Config

Signatures

Unexpected DNS network traffic destination 53 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	141.150.0.68
Destination IP	192.229.117.116
Destination IP	192.163.48.138
Destination IP	192.164.245.32
Destination IP	192.125.77.63
Destination IP	192.20.241.98
Destination IP	192.197.60.148
Destination IP	192.84.50.71
Destination IP	198.209.72.102
Destination IP	61.250.87.250
Destination IP	192.103.210.213
Destination IP	192.155.61.234
Destination IP	192.207.230.100
Destination IP	192.208.234.11
Destination IP	192.126.81.154
Destination IP	192.136.61.15
Destination IP	192.43.196.2
Destination IP	217.174.98.235
Destination IP	202.27.17.252
Destination IP	192.150.109.121
Destination IP	192.52.201.128
Destination IP	202.139.83.3
Destination IP	80.92.162.200
Destination IP	192.21.95.218
Destination IP	192.235.143.147
Destination IP	202.218.211.253
Destination IP	192.216.82.1
Destination IP	192.204.245.6
Destination IP	192.129.248.133
Destination IP	192.218.247.79
Destination IP	192.64.149.184
Destination IP	192.39.177.246
Destination IP	192.59.103.186
Destination IP	195.133.91.136
Destination IP	200.10.122.11
Destination IP	192.29.91.210
Destination IP	203.192.158.22
Destination IP	192.129.5.211
Destination IP	192.153.183.65
Destination IP	192.59.0.94
Destination IP	192.35.211.61
Destination IP	192.180.102.230
Destination IP	66.152.91.2
Destination IP	192.254.167.39
Destination IP	192.252.116.215
Destination IP	192.233.59.245
Destination IP	202.181.98.171
Destination IP	192.195.174.104
Destination IP	192.180.149.40
Destination IP	192.76.50.100
Destination IP	192.169.34.6
Destination IP	192.88.195.10
Destination IP	222.255.120.130

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe

description ioc process

File opened for modification \??\PhysicalDrive0 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1772 1396 WerFault.exe e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe

pid	pid_target	process	target process
1772	1396	WerFault.exe	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe

pid	process
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe

description	pid	process	target process
PID 1396 wrote to memory of 1772	1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe	WerFault.exe
PID 1396 wrote to memory of 1772	1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe	WerFault.exe
PID 1396 wrote to memory of 1772	1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe	WerFault.exe
PID 1396 wrote to memory of 1772	1396	e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
"C:\Users\Admin\AppData\Local\Temp\e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1720
2⤵
- Program crash
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1396-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1396-55-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1396-57-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1772-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads