2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f

General

Target

2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe
Size

232KB
MD5

d7d5a8136962ee21e14fa33f127064da
SHA1

f97737161502842fa07add7b89be3b34271df3c3
SHA256

2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f
SHA512

da0cade98fae9ef332ebec7b51b513b73402da1e4ed5ba3b1d7078caa957d9bf66da3ca9e865e54102aed546f5948ffad8bae87c4abb19363df97f8d4eb26a2b
SSDEEP

3072:AMdgD6dbNFko1ayFCpEZWCfEgl+D7t5VOcoF/7UbNVLPLcqcoMaUfdqMwuW0Gc3I:Jdge1NFVH0pwpMfN5V7bzooMkMwHc0U

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1416	winvrtd.exe

Loads dropped DLL 2 IoCs

pid	Process
832	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe
832	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winvrtd.exe	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe
File opened for modification	C:\Windows\SysWOW64\winvtd.db	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe
File created	C:\Windows\SysWOW64\winvtd32.dll	winvrtd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe
1416	winvrtd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
832	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe
832	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1416	832	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe	28
PID 832 wrote to memory of 1416	832	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe	28
PID 832 wrote to memory of 1416	832	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe	28
PID 832 wrote to memory of 1416	832	2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe	28

C:\Users\Admin\AppData\Local\Temp\2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe
"C:\Users\Admin\AppData\Local\Temp\2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\winvrtd.exe
  "C:\Windows\system32\winvrtd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winvrtd.exe

Filesize
128KB

MD5
b4e8d5954975ae43cbf09bf0d7992683

SHA1
c530cfaf2d82d3cc1839e8dbca40148b276fad79

SHA256
5bb33f70e6dd09970031cfadbce415345f0ce77ea78c030376f8d54d8d5c8142

SHA512
0da4996cd7d22517f9ba265ece55f802f651b43cbfd17f878365a794d991574dc24b7361c22c8886eac135d86663296812d7fcb9ed2650f44a63339010775810

Download Submit
\Windows\SysWOW64\winvrtd.exe

Filesize
128KB

MD5
b4e8d5954975ae43cbf09bf0d7992683

SHA1
c530cfaf2d82d3cc1839e8dbca40148b276fad79

SHA256
5bb33f70e6dd09970031cfadbce415345f0ce77ea78c030376f8d54d8d5c8142

SHA512
0da4996cd7d22517f9ba265ece55f802f651b43cbfd17f878365a794d991574dc24b7361c22c8886eac135d86663296812d7fcb9ed2650f44a63339010775810

Download Submit
\Windows\SysWOW64\winvrtd.exe

Filesize
128KB

MD5
b4e8d5954975ae43cbf09bf0d7992683

SHA1
c530cfaf2d82d3cc1839e8dbca40148b276fad79

SHA256
5bb33f70e6dd09970031cfadbce415345f0ce77ea78c030376f8d54d8d5c8142

SHA512
0da4996cd7d22517f9ba265ece55f802f651b43cbfd17f878365a794d991574dc24b7361c22c8886eac135d86663296812d7fcb9ed2650f44a63339010775810

Download Submit
memory/832-58-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/832-59-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/832-60-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/832-61-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/832-62-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/832-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/832-55-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/832-68-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/832-69-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/832-70-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing