afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969

General

Target

afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe
Size

284KB
MD5

24ed82868a5ea803c86b526dcb0c9430
SHA1

6c6aaab781be78dbf793e42f8a61774dcc8c8bc4
SHA256

afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969
SHA512

5c315e907d55bfe308cf1efaf1371b11ac6aef7d14da562628b5117f9dbc7e7d9d11a58a834c29cb54d6da6e3d4cb988767c5c008d2de30ab966c76a5de0a491
SSDEEP

3072:FTTyW+LiBBTka15GZwPOAmv33LnDmHA//OOhgaHzIntHXzXt1+zArngYIVaaY24M:F9BQW5EmAnoXzX+zArgYIVauDnodTQ

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 328 set thread context of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
676	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	676	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe
328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 960 wrote to memory of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 960 wrote to memory of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 960 wrote to memory of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 960 wrote to memory of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 960 wrote to memory of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 960 wrote to memory of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 960 wrote to memory of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 960 wrote to memory of 328	960	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	28
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29
PID 328 wrote to memory of 676	328	afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe	29

C:\Users\Admin\AppData\Local\Temp\afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe
"C:\Users\Admin\AppData\Local\Temp\afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe
  "C:\Users\Admin\AppData\Local\Temp\afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Users\Admin\AppData\Local\Temp\afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe
    "C:\Users\Admin\AppData\Local\Temp\afec2939f34a84d49eee6edd184c43b5fe4f796963b71f823644b9d9b5e5f969.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/328-81-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/328-57-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/328-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/328-60-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/328-63-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/676-70-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/676-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/676-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/676-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/676-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/676-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/676-82-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/676-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/676-84-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/676-87-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/960-56-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/960-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing