a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3

Reason

Machine shutdown

General

Target

a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe
Size

220KB
MD5

e3121f47ece2ff6f56a1db4cbb192551
SHA1

8dc8d58a44b958f8b750435c730b56c5e3c0073f
SHA256

a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3
SHA512

ebbe604030f9ec0cfd31a61c91a7711808a30b841fd50b268b64f7d6f11cd57613833c2564cdd6c2e68dee0a179c62dc936274e8d537b094bcb30dc02c034e48
SSDEEP

3072:J2FcHQxdMJ7TF4uHL+L2kwoxF/U+ywjsuGX80x5yvk0/y:JHHQbMJR4AoxF/YPuGs0x5okz

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
940	x2z8.exe
760	x2z8.exe

Deletes itself 1 IoCs

pid	Process
760	x2z8.exe

Loads dropped DLL 3 IoCs

pid	Process
1644	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe
1644	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe
940	x2z8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe
File opened for modification	\??\PHYSICALDRIVE0	x2z8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 1644	1672	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	27
PID 940 set thread context of 760	940	x2z8.exe	29

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	760	x2z8.exe
Token: 33	820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	820	AUDIODG.EXE
Token: 33	820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	820	AUDIODG.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1644	1672	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	27
PID 1672 wrote to memory of 1644	1672	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	27
PID 1672 wrote to memory of 1644	1672	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	27
PID 1672 wrote to memory of 1644	1672	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	27
PID 1672 wrote to memory of 1644	1672	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	27
PID 1672 wrote to memory of 1644	1672	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	27
PID 1672 wrote to memory of 1644	1672	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	27
PID 1672 wrote to memory of 1644	1672	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	27
PID 1644 wrote to memory of 940	1644	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	28
PID 1644 wrote to memory of 940	1644	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	28
PID 1644 wrote to memory of 940	1644	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	28
PID 1644 wrote to memory of 940	1644	a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe	28
PID 940 wrote to memory of 760	940	x2z8.exe	29
PID 940 wrote to memory of 760	940	x2z8.exe	29
PID 940 wrote to memory of 760	940	x2z8.exe	29
PID 940 wrote to memory of 760	940	x2z8.exe	29
PID 940 wrote to memory of 760	940	x2z8.exe	29
PID 940 wrote to memory of 760	940	x2z8.exe	29
PID 940 wrote to memory of 760	940	x2z8.exe	29
PID 940 wrote to memory of 760	940	x2z8.exe	29

C:\Users\Admin\AppData\Local\Temp\a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe
"C:\Users\Admin\AppData\Local\Temp\a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe
  "C:\Users\Admin\AppData\Local\Temp\a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
    C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
      C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
      4⤵
      Executes dropped EXE
      Deletes itself
      Writes to the Master Boot Record (MBR)
      Suspicious use of AdjustPrivilegeToken
      PID:760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.txt

Filesize
102B

MD5
3978d9b5be5ae14e42e6952491830103

SHA1
ae59ba10001e6e5f97c486299c9bb9810b30142c

SHA256
598f1a6cd0300cdcbd3d3d2c742003da2565bab9fe1db253a6c2f78cb949ceb1

SHA512
4f1f83332577945bdf6b616dff12873426b4716875f78b91a8bf475155264d6d1ef43b0d9fb86f08fd86bc48f43671e47c0559c97a5d28e2a68f5ea6299245fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
220KB

MD5
e3121f47ece2ff6f56a1db4cbb192551

SHA1
8dc8d58a44b958f8b750435c730b56c5e3c0073f

SHA256
a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3

SHA512
ebbe604030f9ec0cfd31a61c91a7711808a30b841fd50b268b64f7d6f11cd57613833c2564cdd6c2e68dee0a179c62dc936274e8d537b094bcb30dc02c034e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
220KB

MD5
e3121f47ece2ff6f56a1db4cbb192551

SHA1
8dc8d58a44b958f8b750435c730b56c5e3c0073f

SHA256
a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3

SHA512
ebbe604030f9ec0cfd31a61c91a7711808a30b841fd50b268b64f7d6f11cd57613833c2564cdd6c2e68dee0a179c62dc936274e8d537b094bcb30dc02c034e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
220KB

MD5
e3121f47ece2ff6f56a1db4cbb192551

SHA1
8dc8d58a44b958f8b750435c730b56c5e3c0073f

SHA256
a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3

SHA512
ebbe604030f9ec0cfd31a61c91a7711808a30b841fd50b268b64f7d6f11cd57613833c2564cdd6c2e68dee0a179c62dc936274e8d537b094bcb30dc02c034e48

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
220KB

MD5
e3121f47ece2ff6f56a1db4cbb192551

SHA1
8dc8d58a44b958f8b750435c730b56c5e3c0073f

SHA256
a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3

SHA512
ebbe604030f9ec0cfd31a61c91a7711808a30b841fd50b268b64f7d6f11cd57613833c2564cdd6c2e68dee0a179c62dc936274e8d537b094bcb30dc02c034e48

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
220KB

MD5
e3121f47ece2ff6f56a1db4cbb192551

SHA1
8dc8d58a44b958f8b750435c730b56c5e3c0073f

SHA256
a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3

SHA512
ebbe604030f9ec0cfd31a61c91a7711808a30b841fd50b268b64f7d6f11cd57613833c2564cdd6c2e68dee0a179c62dc936274e8d537b094bcb30dc02c034e48

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
220KB

MD5
e3121f47ece2ff6f56a1db4cbb192551

SHA1
8dc8d58a44b958f8b750435c730b56c5e3c0073f

SHA256
a45fb61cea4f75cb43ca116d5a198f4a1993a9cc98ed58824690fe9131cc45a3

SHA512
ebbe604030f9ec0cfd31a61c91a7711808a30b841fd50b268b64f7d6f11cd57613833c2564cdd6c2e68dee0a179c62dc936274e8d537b094bcb30dc02c034e48

Download Submit
memory/760-80-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1636-81-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1644-54-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1644-62-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1644-55-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1644-61-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1644-66-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1644-56-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1644-58-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

Errors