d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb

General

Target

d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
Size

280KB
MD5

6189aa9cd597f9a1ff1d4f4197ab16c0
SHA1

7f658224a2e34375469710c6e64b9ad81d6b426f
SHA256

d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb
SHA512

6a1552784e8689768e12571246deff4135341c3242262b24dbdb0364487b35e8df0f43d543e9f1905dca0d9e1696fcc8dc24f10ea629a2992df5cfbcc943dcbf
SSDEEP

6144:iKRS87kW10IVb7LZ72Nmm6Sr00wtKnHQ:f7kQHZ7ommrg0wO

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe

description ioc process

File opened for modification \??\PhysicalDrive0 d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exed0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe

description	pid	process	target process
PID 400 set thread context of 452	400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 set thread context of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000890"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AA8CA210-752D-11ED-A0EE-7A46CE8ECE48} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2136782900"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377072426"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2131781988"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000890"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000890"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2131781988"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe

pid	process
3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1904 IEXPLORE.EXE

pid	process
1904	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exeIEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
Token: SeDebugPrivilege	3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
Token: SeDebugPrivilege	4504	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1904 IEXPLORE.EXE

pid	process
1904	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exed0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
4504	IEXPLORE.EXE
4504	IEXPLORE.EXE
4504	IEXPLORE.EXE
4504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exed0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exed0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exeiexplore.exeIEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
"C:\Users\Admin\AppData\Local\Temp\d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Local\Temp\d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
"C:\Users\Admin\AppData\Local\Temp\d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
"C:\Users\Admin\AppData\Local\Temp\d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:17410 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
ac572cbbc82d6d652cdbe2596aeac4ee

SHA1
a631b27cf33fe134f42ed411d7ea06c21df41ad5

SHA256
50b6d8f62150a7bd25fb3e462130e8e054a0f1fb619487e8c426a4c8bf6bdca8

SHA512
070095ec83e4eeccae5dcbadcb3132f08fd0aac50badbc42cb72691236b6cfcdf14ce275fb1bf5511896bb4dd25c2121e044341003c1a507be8fabc0b2b1bfff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
1e57d92a614e816dbd20719be273482f

SHA1
678db19898e0b1b26404116abc5841ab3087406e

SHA256
a7744788bd454dcaa7e1fcfe08c8079a6401a2bab5853d443b21fc3a76775edc

SHA512
f5032cbbcf3854ba3fe27e5688a528bf643a0588d4f89da9248f2fae3c9d6dbf4eb6688dc971facc402d9adf4bb97d107197957055117d2b5540a341c77a2aff

Download Submit
memory/400-134-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/400-139-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/452-144-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/452-136-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/452-135-0x0000000000000000-mapping.dmp

Download
memory/3508-142-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3508-141-0x0000000000000000-mapping.dmp

Download
memory/3508-145-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3508-146-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3508-147-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3508-148-0x00000000022D0000-0x000000000231F000-memory.dmp

Filesize
316KB

Download

description	pid	process	target process
PID 400 wrote to memory of 452	400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 400 wrote to memory of 452	400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 400 wrote to memory of 452	400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 400 wrote to memory of 452	400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 400 wrote to memory of 452	400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 400 wrote to memory of 452	400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 400 wrote to memory of 452	400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 400 wrote to memory of 452	400	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 wrote to memory of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 wrote to memory of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 wrote to memory of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 wrote to memory of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 wrote to memory of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 wrote to memory of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 wrote to memory of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 wrote to memory of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 452 wrote to memory of 3508	452	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe
PID 3508 wrote to memory of 1096	3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	iexplore.exe
PID 3508 wrote to memory of 1096	3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	iexplore.exe
PID 3508 wrote to memory of 1096	3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	iexplore.exe
PID 1096 wrote to memory of 1904	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1904	1096	iexplore.exe	IEXPLORE.EXE
PID 1904 wrote to memory of 4504	1904	IEXPLORE.EXE	IEXPLORE.EXE
PID 1904 wrote to memory of 4504	1904	IEXPLORE.EXE	IEXPLORE.EXE
PID 1904 wrote to memory of 4504	1904	IEXPLORE.EXE	IEXPLORE.EXE
PID 3508 wrote to memory of 4504	3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	IEXPLORE.EXE
PID 3508 wrote to memory of 4504	3508	d0ee8ab8ec997c1b134bc9516f0bc788bc08a770f5f4d56b4c5bff3fbce55beb.exe	IEXPLORE.EXE

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads