845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab

General

Target

845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe
Size

609KB
MD5

a79bcc830c8a002cd5f71abf9edbff95
SHA1

4c4846f81fd2b5758c81e7715d46d053cd5fa512
SHA256

845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab
SHA512

c233a41bee6ced3995380e13c4d7f39436465a479924644c5cf2c7e7a5f31d9c8928388d380844d507666237bb4fc387bffe4415b24f5a457ad06ffff46f214b
SSDEEP

12288:uwu0R1wMbuUgn9iB4bva3ImroWiMUIzx:PwMhg8ub0ImcWNUG

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

malremtool.exe

pid process

900 malremtool.exe

pid	process
900	malremtool.exe

Loads dropped DLL 4 IoCs

Processes:

845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe

pid	process
1932	845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe
1932	845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe
1932	845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe
1932	845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

malremtool.exe

description ioc process

File opened for modification \??\PhysicalDrive0 malremtool.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

malremtool.exe

pid process

900 malremtool.exe
900 malremtool.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe

pid process

1932 845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	malremtool.exe

pid	process
900	malremtool.exe
900	malremtool.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe

description	pid	process	target process
PID 1932 wrote to memory of 900	1932	845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe	malremtool.exe
PID 1932 wrote to memory of 900	1932	845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe	malremtool.exe
PID 1932 wrote to memory of 900	1932	845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe	malremtool.exe
PID 1932 wrote to memory of 900	1932	845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe	malremtool.exe

C:\Users\Admin\AppData\Local\Temp\845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe
"C:\Users\Admin\AppData\Local\Temp\845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\malremtool.exe
"C:\Users\Admin\AppData\Local\Temp\malremtool.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1668

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1532

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\malremtool.exe
Filesize
609KB

MD5
a79bcc830c8a002cd5f71abf9edbff95

SHA1
4c4846f81fd2b5758c81e7715d46d053cd5fa512

SHA256
845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab

SHA512
c233a41bee6ced3995380e13c4d7f39436465a479924644c5cf2c7e7a5f31d9c8928388d380844d507666237bb4fc387bffe4415b24f5a457ad06ffff46f214b

Download Submit
\Users\Admin\AppData\Local\Temp\malremtool.exe
Filesize
609KB

MD5
a79bcc830c8a002cd5f71abf9edbff95

SHA1
4c4846f81fd2b5758c81e7715d46d053cd5fa512

SHA256
845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab

SHA512
c233a41bee6ced3995380e13c4d7f39436465a479924644c5cf2c7e7a5f31d9c8928388d380844d507666237bb4fc387bffe4415b24f5a457ad06ffff46f214b

Download Submit
\Users\Admin\AppData\Local\Temp\malremtool.exe
Filesize
609KB

MD5
a79bcc830c8a002cd5f71abf9edbff95

SHA1
4c4846f81fd2b5758c81e7715d46d053cd5fa512

SHA256
845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab

SHA512
c233a41bee6ced3995380e13c4d7f39436465a479924644c5cf2c7e7a5f31d9c8928388d380844d507666237bb4fc387bffe4415b24f5a457ad06ffff46f214b

Download Submit
\Users\Admin\AppData\Local\Temp\malremtool.exe
Filesize
609KB

MD5
a79bcc830c8a002cd5f71abf9edbff95

SHA1
4c4846f81fd2b5758c81e7715d46d053cd5fa512

SHA256
845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab

SHA512
c233a41bee6ced3995380e13c4d7f39436465a479924644c5cf2c7e7a5f31d9c8928388d380844d507666237bb4fc387bffe4415b24f5a457ad06ffff46f214b

Download Submit
\Users\Admin\AppData\Local\Temp\malremtool.exe
Filesize
609KB

MD5
a79bcc830c8a002cd5f71abf9edbff95

SHA1
4c4846f81fd2b5758c81e7715d46d053cd5fa512

SHA256
845f86a5cd28446fc64d66e134a36182d49326686eee64aa6a0131f36d51aaab

SHA512
c233a41bee6ced3995380e13c4d7f39436465a479924644c5cf2c7e7a5f31d9c8928388d380844d507666237bb4fc387bffe4415b24f5a457ad06ffff46f214b

Download Submit
memory/900-60-0x0000000000000000-mapping.dmp

Download
memory/1932-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1932-55-0x0000000000400000-0x000000000049F8A0-memory.dmp

Filesize
638KB

Download

Analysis

Sharing