bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c

General

Target

bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe
Size

609KB
MD5

618ade4e630f0fc2563df1e2912301eb
SHA1

cb678dd8e083f891afdfe9c6e7cffb787cc2f785
SHA256

bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c
SHA512

e8f5d4c51bb51d28a8ee1d459849c21f104545af11f83d12f624555b133f2d56e5c608185483cb00408ec5907d2ec4258488c9ec828c2cdf3b4905127217eb52
SSDEEP

6144:Y5E6ftgX/kGMGOMtiRvbFzAgnCheJmA5ufN6igua+z4AswiZcaFxA:4V+IGOfzygnbJmA5ufjgua1waFxA

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Realtek_AC97.exe

pid process

1212 Realtek_AC97.exe

pid	process
1212	Realtek_AC97.exe

Loads dropped DLL 4 IoCs

Processes:

bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe

pid	process
1140	bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe
1140	bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe
1140	bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe
1140	bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Realtek_AC97.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Realtek_AC97.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Realtek_AC97.exe

pid process

1212 Realtek_AC97.exe
1212 Realtek_AC97.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe

pid process

1140 bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Realtek_AC97.exe

pid	process
1212	Realtek_AC97.exe
1212	Realtek_AC97.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe

description	pid	process	target process
PID 1140 wrote to memory of 1212	1140	bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe	Realtek_AC97.exe
PID 1140 wrote to memory of 1212	1140	bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe	Realtek_AC97.exe
PID 1140 wrote to memory of 1212	1140	bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe	Realtek_AC97.exe
PID 1140 wrote to memory of 1212	1140	bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe	Realtek_AC97.exe

C:\Users\Admin\AppData\Local\Temp\bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe
"C:\Users\Admin\AppData\Local\Temp\bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\Realtek_AC97.exe
"C:\Users\Admin\AppData\Local\Temp\Realtek_AC97.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1892

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1812

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Realtek_AC97.exe
Filesize
609KB

MD5
618ade4e630f0fc2563df1e2912301eb

SHA1
cb678dd8e083f891afdfe9c6e7cffb787cc2f785

SHA256
bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c

SHA512
e8f5d4c51bb51d28a8ee1d459849c21f104545af11f83d12f624555b133f2d56e5c608185483cb00408ec5907d2ec4258488c9ec828c2cdf3b4905127217eb52

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek_AC97.exe
Filesize
609KB

MD5
618ade4e630f0fc2563df1e2912301eb

SHA1
cb678dd8e083f891afdfe9c6e7cffb787cc2f785

SHA256
bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c

SHA512
e8f5d4c51bb51d28a8ee1d459849c21f104545af11f83d12f624555b133f2d56e5c608185483cb00408ec5907d2ec4258488c9ec828c2cdf3b4905127217eb52

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek_AC97.exe
Filesize
609KB

MD5
618ade4e630f0fc2563df1e2912301eb

SHA1
cb678dd8e083f891afdfe9c6e7cffb787cc2f785

SHA256
bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c

SHA512
e8f5d4c51bb51d28a8ee1d459849c21f104545af11f83d12f624555b133f2d56e5c608185483cb00408ec5907d2ec4258488c9ec828c2cdf3b4905127217eb52

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek_AC97.exe
Filesize
609KB

MD5
618ade4e630f0fc2563df1e2912301eb

SHA1
cb678dd8e083f891afdfe9c6e7cffb787cc2f785

SHA256
bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c

SHA512
e8f5d4c51bb51d28a8ee1d459849c21f104545af11f83d12f624555b133f2d56e5c608185483cb00408ec5907d2ec4258488c9ec828c2cdf3b4905127217eb52

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek_AC97.exe
Filesize
609KB

MD5
618ade4e630f0fc2563df1e2912301eb

SHA1
cb678dd8e083f891afdfe9c6e7cffb787cc2f785

SHA256
bce27c65838c7c49b49245c109978e2d012f4567cd938d020e747e3db847fa1c

SHA512
e8f5d4c51bb51d28a8ee1d459849c21f104545af11f83d12f624555b133f2d56e5c608185483cb00408ec5907d2ec4258488c9ec828c2cdf3b4905127217eb52

Download Submit
memory/1140-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1140-55-0x0000000000400000-0x000000000051F9A0-memory.dmp

Filesize
1.1MB

Download
memory/1212-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing