cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b

General

Target

cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
Size

470KB
MD5

ba27c6b81019a312eea3f6d060c7fa70
SHA1

81ee71045fcfedd2cfd68bf693a2d71829b3d949
SHA256

cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b
SHA512

9f637e9505afcc6cb6a4b738f6db2cd913a64fcb0741bd5da2c94b1ed413c7ca6c77a36394039800e8450f41d058730e1fba25433b3096eac95e0658d7b192f8
SSDEEP

12288:FlVWvTJvuhNV7lE1Hw3ymsZc80kYMx54UJfQcWNtTirdDQd:FrETUx7lWfARy4U9QcSTEdDG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
108	ASPNETSetup_00000.log

Loads dropped DLL 1 IoCs

pid	Process
916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ASPNETSetup_00000.log

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1468	DllHost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 916	956	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	27
PID 956 wrote to memory of 916	956	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	27
PID 956 wrote to memory of 916	956	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	27
PID 956 wrote to memory of 916	956	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	27
PID 916 wrote to memory of 108	916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	29
PID 916 wrote to memory of 108	916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	29
PID 916 wrote to memory of 108	916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	29
PID 916 wrote to memory of 108	916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	29
PID 916 wrote to memory of 108	916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	29
PID 916 wrote to memory of 108	916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	29
PID 916 wrote to memory of 108	916	cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe	29

C:\Users\Admin\AppData\Local\Temp\cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
"C:\Users\Admin\AppData\Local\Temp\cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
  C:\Users\Admin\AppData\Local\Temp\cf171a99ee072800e254bf440c0bdcaeb66815569b8b683eb985b345b816bd1b.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log
    C:\Users\Admin\AppData\Local\Temp\\ASPNETSetup_00000.log
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:108

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log

Filesize
714KB

MD5
1aaa1057ed1127f2ac89a367aaa36b2e

SHA1
88c3f162a889d72a071450fa0d3d7b0dcd75c3f7

SHA256
fb2cba9c9fd2c642af72fd5f59840a748ee78e3439e4e74fd4ffc7a79cea353a

SHA512
f287c8fc493869acae216a590771938bc14666d307812f170e0b503a32f41f745bb10053aaa48885accb125760e3bc3fe672084428b4ab26c720df3c2a53a542

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log

Filesize
714KB

MD5
1aaa1057ed1127f2ac89a367aaa36b2e

SHA1
88c3f162a889d72a071450fa0d3d7b0dcd75c3f7

SHA256
fb2cba9c9fd2c642af72fd5f59840a748ee78e3439e4e74fd4ffc7a79cea353a

SHA512
f287c8fc493869acae216a590771938bc14666d307812f170e0b503a32f41f745bb10053aaa48885accb125760e3bc3fe672084428b4ab26c720df3c2a53a542

Download Submit
C:\Windows\Temp\wÎÒ.jpg

Filesize
12KB

MD5
1be35538598e493f5aa453e44bccf033

SHA1
210914902945e95f592eebe66f979f038ade2713

SHA256
49fd6328408d7f8f4589dcdba30a16e54c69e6d282792c26b087800afccc535a

SHA512
1aae93e75babfa9c85773ec2092e1c30be7a9ac9288b14133af92b2c7da38b5cd8d57b678e18cc1529d0ea12a32e6b1c6e7eda0af914cd569341c2a2f4443600

Download Submit
\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log

Filesize
714KB

MD5
1aaa1057ed1127f2ac89a367aaa36b2e

SHA1
88c3f162a889d72a071450fa0d3d7b0dcd75c3f7

SHA256
fb2cba9c9fd2c642af72fd5f59840a748ee78e3439e4e74fd4ffc7a79cea353a

SHA512
f287c8fc493869acae216a590771938bc14666d307812f170e0b503a32f41f745bb10053aaa48885accb125760e3bc3fe672084428b4ab26c720df3c2a53a542

Download Submit
memory/108-63-0x0000000000B70000-0x0000000000BB3000-memory.dmp

Filesize
268KB

Download
memory/108-64-0x0000000000400000-0x0000000000B64000-memory.dmp

Filesize
7.4MB

Download
memory/956-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing