8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e

Reason

Machine shutdown

General

Target

8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe
Size

85KB
MD5

7f07b1d8c3e93203a5d9cb71fc57f139
SHA1

9bf82f08b7f635193775a9741e92177d85cf41a0
SHA256

8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e
SHA512

d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255
SSDEEP

1536:UKy7x3cuklIn2ecXFX/Hcb+KeWSek4CcKn3S0b0I1mwOtg5:UKkxsmZc5/HNH+U11mftk

Score

8^/10

aspackv2 bootkit persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a0000000122fb-63.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122fb-64.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122fb-71.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122fb-70.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122fb-66.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122fb-76.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2016	x2z8.exe
1124	x2z8.exe

Deletes itself 1 IoCs

pid	Process
1124	x2z8.exe

Loads dropped DLL 3 IoCs

pid	Process
1220	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe
1220	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe
2016	x2z8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	x2z8.exe
File opened for modification	\??\PHYSICALDRIVE0	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 1220	1108	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	28
PID 2016 set thread context of 1124	2016	x2z8.exe	30

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1124	x2z8.exe
Token: 33	1696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1696	AUDIODG.EXE
Token: 33	1696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1696	AUDIODG.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1220	1108	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	28
PID 1108 wrote to memory of 1220	1108	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	28
PID 1108 wrote to memory of 1220	1108	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	28
PID 1108 wrote to memory of 1220	1108	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	28
PID 1108 wrote to memory of 1220	1108	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	28
PID 1108 wrote to memory of 1220	1108	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	28
PID 1220 wrote to memory of 2016	1220	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	29
PID 1220 wrote to memory of 2016	1220	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	29
PID 1220 wrote to memory of 2016	1220	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	29
PID 1220 wrote to memory of 2016	1220	8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe	29
PID 2016 wrote to memory of 1124	2016	x2z8.exe	30
PID 2016 wrote to memory of 1124	2016	x2z8.exe	30
PID 2016 wrote to memory of 1124	2016	x2z8.exe	30
PID 2016 wrote to memory of 1124	2016	x2z8.exe	30
PID 2016 wrote to memory of 1124	2016	x2z8.exe	30
PID 2016 wrote to memory of 1124	2016	x2z8.exe	30

C:\Users\Admin\AppData\Local\Temp\8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe
"C:\Users\Admin\AppData\Local\Temp\8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe
  "C:\Users\Admin\AppData\Local\Temp\8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
    C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
      "C:\Users\Admin\AppData\Local\Temp\x2z8.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Writes to the Master Boot Record (MBR)
      Suspicious use of AdjustPrivilegeToken
      PID:1124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.txt

Filesize
102B

MD5
ef3660284c6ff2a2984b86ca774c351b

SHA1
4566d598b06ee8228411c01055730a32bf54907a

SHA256
b579f3891d9a0248addf9653eca740a273f2aa53c1ae0b99c60d1ca947ee3a34

SHA512
6d5fb318f85c4cd6ece4cd456797c2399a69efe63b1a8d9ff9c5200f84af5a688fe783de130bd2d17de95a6b2255c373a78f88a431484207c4efca276fd556b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
85KB

MD5
7f07b1d8c3e93203a5d9cb71fc57f139

SHA1
9bf82f08b7f635193775a9741e92177d85cf41a0

SHA256
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e

SHA512
d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
85KB

MD5
7f07b1d8c3e93203a5d9cb71fc57f139

SHA1
9bf82f08b7f635193775a9741e92177d85cf41a0

SHA256
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e

SHA512
d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
85KB

MD5
7f07b1d8c3e93203a5d9cb71fc57f139

SHA1
9bf82f08b7f635193775a9741e92177d85cf41a0

SHA256
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e

SHA512
d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
85KB

MD5
7f07b1d8c3e93203a5d9cb71fc57f139

SHA1
9bf82f08b7f635193775a9741e92177d85cf41a0

SHA256
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e

SHA512
d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
85KB

MD5
7f07b1d8c3e93203a5d9cb71fc57f139

SHA1
9bf82f08b7f635193775a9741e92177d85cf41a0

SHA256
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e

SHA512
d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
85KB

MD5
7f07b1d8c3e93203a5d9cb71fc57f139

SHA1
9bf82f08b7f635193775a9741e92177d85cf41a0

SHA256
8281ed9ca3f499803d4337735c0a5d6279022394409f492cdba19443f721121e

SHA512
d08ad6c19cb6ce37ba6a2cc9bbd9d34fc17f2b9cef6e3a5132f6b536c929d7875a4a69051008794a8dd142a474906a9b4d779709555edb2f337d84056e98b255

Download Submit
memory/1108-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-82-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1220-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-67-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1220-61-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1220-62-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1220-57-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1220-55-0x000000002AA00000-0x000000002AA04000-memory.dmp

Filesize
16KB

Download
memory/1916-83-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/2016-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

Errors