b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a

General

Target

b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
Size

305KB
MD5

5c91541bed710ff95b46456d9e237a39
SHA1

3a0ee45775e5fb20c418f00620338e1f6e550bd7
SHA256

b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a
SHA512

0d735009a52c95d03c80bbc2cc3143e40956aadc32fd6f6cfe67bc5d1644e6f15a327a699b2f07f4df83e4d8c24a2674fb4dd65b704fad9c813d515b87f9205c
SSDEEP

3072:i/7hLgEqpl+/3MszTEIuZBYdlIjVXZsqdK5tp0SfVX4kELMQZjDrbqg75uN1Rx7u:XEhI+IjVXS55P02VVQZjzqgA1GV09W

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe

description ioc process

File opened for modification \??\PhysicalDrive0 b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exeb7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe

description	pid	process	target process
PID 3068 set thread context of 2468	3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 set thread context of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3123691161"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000892"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3131972847"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000892"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3123691161"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000892"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E5B0C1CC-752F-11ED-A0EE-E6AF42CF752C} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377073384"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe

pid	process
2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4836 IEXPLORE.EXE

pid	process
4836	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exeIEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
Token: SeDebugPrivilege	2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
Token: SeDebugPrivilege	212	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4836 IEXPLORE.EXE

pid	process
4836	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exeb7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
4836	IEXPLORE.EXE
4836	IEXPLORE.EXE
212	IEXPLORE.EXE
212	IEXPLORE.EXE
212	IEXPLORE.EXE
212	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exeb7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exeb7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exeiexplore.exeIEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
"C:\Users\Admin\AppData\Local\Temp\b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
"C:\Users\Admin\AppData\Local\Temp\b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
"C:\Users\Admin\AppData\Local\Temp\b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4836 CREDAT:17410 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
ac572cbbc82d6d652cdbe2596aeac4ee

SHA1
a631b27cf33fe134f42ed411d7ea06c21df41ad5

SHA256
50b6d8f62150a7bd25fb3e462130e8e054a0f1fb619487e8c426a4c8bf6bdca8

SHA512
070095ec83e4eeccae5dcbadcb3132f08fd0aac50badbc42cb72691236b6cfcdf14ce275fb1bf5511896bb4dd25c2121e044341003c1a507be8fabc0b2b1bfff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
d619be6cf6f4867277e5b32ff8ea7577

SHA1
f3dacf57d512e57c319a5b390f7f6c609ce23a78

SHA256
f85cd46732293b6549b68b5da97347ca2128c2099ea2f8280f83b7803e04a7c0

SHA512
526467d734411282a9104b54cad28dc6ea8b099faa19c4a295b7e7629d72e1c4220f47ac8dcca66c74026cd66659380c951be2aa16cffe6bca843d5d66624469

Download Submit
memory/2040-146-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2040-149-0x0000000002740000-0x000000000278F000-memory.dmp

Filesize
316KB

Download
memory/2040-141-0x0000000000000000-mapping.dmp

Download
memory/2040-142-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2040-148-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2040-145-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2468-147-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2468-144-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2468-136-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2468-135-0x0000000000000000-mapping.dmp

Download
memory/3068-134-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3068-138-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

description	pid	process	target process
PID 3068 wrote to memory of 2468	3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 3068 wrote to memory of 2468	3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 3068 wrote to memory of 2468	3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 3068 wrote to memory of 2468	3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 3068 wrote to memory of 2468	3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 3068 wrote to memory of 2468	3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 3068 wrote to memory of 2468	3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 3068 wrote to memory of 2468	3068	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 wrote to memory of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 wrote to memory of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 wrote to memory of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 wrote to memory of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 wrote to memory of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 wrote to memory of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 wrote to memory of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 wrote to memory of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2468 wrote to memory of 2040	2468	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe
PID 2040 wrote to memory of 760	2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	iexplore.exe
PID 2040 wrote to memory of 760	2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	iexplore.exe
PID 2040 wrote to memory of 760	2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	iexplore.exe
PID 760 wrote to memory of 4836	760	iexplore.exe	IEXPLORE.EXE
PID 760 wrote to memory of 4836	760	iexplore.exe	IEXPLORE.EXE
PID 4836 wrote to memory of 212	4836	IEXPLORE.EXE	IEXPLORE.EXE
PID 4836 wrote to memory of 212	4836	IEXPLORE.EXE	IEXPLORE.EXE
PID 4836 wrote to memory of 212	4836	IEXPLORE.EXE	IEXPLORE.EXE
PID 2040 wrote to memory of 212	2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	IEXPLORE.EXE
PID 2040 wrote to memory of 212	2040	b7aff9d896242b310bf1ca7cafb8605b4b7f25e5b264445ce48a592f0261de9a.exe	IEXPLORE.EXE

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads