cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431

General

Target

cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe
Size

2.4MB
MD5

b1564aba878a760316bac9cd40764c83
SHA1

e5a60c0f82205395f4d94375abde7d616f9c2da4
SHA256

cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431
SHA512

3d522f611d232ef069e24f826aa8ebd10a100a2faca1ca9c54019eddc9696ac884628bcc009ad2621108305ae36923892da1d51a1d081958655f86015f77e9f5
SSDEEP

49152:AgH1i41dDCQv5gqBvrPwMtbBkYrgs+SkrAb6hXDJy/F:AG1NDCQmqBvzw4iYYk6hXo/F

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2328	wr2132ef79zg.exe

Loads dropped DLL 1 IoCs

pid	Process
4168	Rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\2132ef79\wr2132ef79zg.exe	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe
File created	C:\Program Files\2132ef79\fi1\32ef79cdu.txt	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe
File created	C:\Program Files\2132ef79\fi1\32ef79cduec.txt	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe
File created	C:\Program Files\2132ef79\wr2132ef79zg.lnk	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe
File created	C:\Program Files\2132ef79\fi1\32ef79cdu.dll	wr2132ef79zg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4864	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2328	4864	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe	81
PID 4864 wrote to memory of 2328	4864	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe	81
PID 4864 wrote to memory of 2328	4864	cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe	81
PID 2328 wrote to memory of 4168	2328	wr2132ef79zg.exe	82
PID 2328 wrote to memory of 4168	2328	wr2132ef79zg.exe	82
PID 2328 wrote to memory of 4168	2328	wr2132ef79zg.exe	82

C:\Users\Admin\AppData\Local\Temp\cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe
"C:\Users\Admin\AppData\Local\Temp\cfd6979b42f1549b12ec92d510129c53c05f47f712ac31a1bcc979d8aab83431.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files\2132ef79\wr2132ef79zg.exe
  "C:\Program Files\2132ef79\wr2132ef79zg.exe" "0C1DBA16833B2B2A05CBBE9B34FC8348417DAAEFD82534565738AD54FF1C6B9928A8B13B3B07498E585556DDEC79E72C02BAFF542093042BCB551E32302FB9C24FAE54B37D544A72EAC78B1E310512A6E3BA4B58B093A55065A63883A63B27914D0F051419F22A46EB" 1CFD67
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe "C:\Program Files\2132ef79\fi1\32ef79cdu.dll",Main 1
    3⤵
    - Loads dropped DLL
    PID:4168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\2132ef79\fi1\32ef79cdu.dll

Filesize
236KB

MD5
3e6624446de3702b29bb837bbcfa7252

SHA1
b50a40f1f8aeaa19966f29dacbb4151773f8b74a

SHA256
a346fbef28e983d73c5fed1d93ddddede8ed76dcec72bd3fc9e7f15b32d1b1f4

SHA512
e3aec62068701d3daeab38d1548cf0f4d848452245672ea7c62b20cff8471f2a9edf979dcbc4bee7e25c6e62036687e3b55f473111e04b835114f4a4f7a9c481

Download Submit
C:\Program Files\2132ef79\fi1\32ef79cdu.dll

Filesize
236KB

MD5
3e6624446de3702b29bb837bbcfa7252

SHA1
b50a40f1f8aeaa19966f29dacbb4151773f8b74a

SHA256
a346fbef28e983d73c5fed1d93ddddede8ed76dcec72bd3fc9e7f15b32d1b1f4

SHA512
e3aec62068701d3daeab38d1548cf0f4d848452245672ea7c62b20cff8471f2a9edf979dcbc4bee7e25c6e62036687e3b55f473111e04b835114f4a4f7a9c481

Download Submit
C:\Program Files\2132ef79\fi1\32ef79cdu.txt

Filesize
236KB

MD5
c55587042d48abe5e7c7d368f1d58aa4

SHA1
b23316e63c7ca939c89d6c3c9ca05a3d99d82b31

SHA256
1fc9c3a1cc23a4a99d91aaeca02540dd47b09c76dbe3500e051cfb679c78fe63

SHA512
c4a0f78ae7d2ab559be6e5ccb59c22ee6a23fa67edfbff7cbb6ffbd3c87c2e8b3603ca93557060f7d289a4dfd06a8a29041f851eca161cae7c777f382e2c6e06

Download Submit
C:\Program Files\2132ef79\wr2132ef79zg.exe

Filesize
582KB

MD5
2b61b4e8cea7e6f416fab0955eb552f7

SHA1
e662d04c7c0631a464ecfe94ebbddba23ba12675

SHA256
405ec09af7bd06e415e857ad8bbdeeed1612fe6c409943100da06e739713bb93

SHA512
4f9acf17d1182bcd1373d3142f2c9a33bf962bc7a14a538985a8ae3748af22228ca8649925e58c2bc4a73ef69a5f6dcb04acdf7b1045abbfaee85d4ef1692c4b

Download Submit
C:\Program Files\2132ef79\wr2132ef79zg.exe

Filesize
582KB

MD5
2b61b4e8cea7e6f416fab0955eb552f7

SHA1
e662d04c7c0631a464ecfe94ebbddba23ba12675

SHA256
405ec09af7bd06e415e857ad8bbdeeed1612fe6c409943100da06e739713bb93

SHA512
4f9acf17d1182bcd1373d3142f2c9a33bf962bc7a14a538985a8ae3748af22228ca8649925e58c2bc4a73ef69a5f6dcb04acdf7b1045abbfaee85d4ef1692c4b

Download Submit
memory/2328-132-0x0000000000000000-mapping.dmp

Download
memory/4168-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing