af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0

Reason

Machine shutdown

General

Target

af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe
Size

423KB
MD5

fb4885cc483fa50716c9f17f80ae3f18
SHA1

1708e68a0d359902fe836b14f0e13bc69706390b
SHA256

af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0
SHA512

8e47abb1cccf247646d3523ba5a0a19c8d878a3aed3b71917468d01de6fef4d32474279c60b89ae8b5e7f4d81632b6f0bfcdc89e00931bbbd008454100364848
SSDEEP

6144:kl+pS3P7rb8WmOeOOQQqq8//3SiZTC4uVAr1wu8DtKYaTJ4PzgkjUllLN:O+pS3P7rwmJq8//hw4uvVt5aTJkep

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
268	x2z8.exe
624	x2z8.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/872-54-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/872-62-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/files/0x0008000000014bf0-64.dat	upx
behavioral1/files/0x0008000000014bf0-67.dat	upx
behavioral1/files/0x0008000000014bf0-65.dat	upx
behavioral1/memory/268-69-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/files/0x0008000000014bf0-70.dat	upx
behavioral1/files/0x0008000000014bf0-71.dat	upx
behavioral1/files/0x0008000000014bf0-78.dat	upx

Deletes itself 1 IoCs

pid	Process
624	x2z8.exe

Loads dropped DLL 3 IoCs

pid	Process
1740	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe
1740	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe
268	x2z8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe
File opened for modification	\??\PHYSICALDRIVE0	x2z8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 872 set thread context of 1740	872	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	27
PID 268 set thread context of 624	268	x2z8.exe	29

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	624	x2z8.exe
Token: 33	1828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1828	AUDIODG.EXE
Token: 33	1828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1828	AUDIODG.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1740	872	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	27
PID 872 wrote to memory of 1740	872	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	27
PID 872 wrote to memory of 1740	872	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	27
PID 872 wrote to memory of 1740	872	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	27
PID 872 wrote to memory of 1740	872	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	27
PID 872 wrote to memory of 1740	872	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	27
PID 872 wrote to memory of 1740	872	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	27
PID 872 wrote to memory of 1740	872	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	27
PID 1740 wrote to memory of 268	1740	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	28
PID 1740 wrote to memory of 268	1740	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	28
PID 1740 wrote to memory of 268	1740	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	28
PID 1740 wrote to memory of 268	1740	af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe	28
PID 268 wrote to memory of 624	268	x2z8.exe	29
PID 268 wrote to memory of 624	268	x2z8.exe	29
PID 268 wrote to memory of 624	268	x2z8.exe	29
PID 268 wrote to memory of 624	268	x2z8.exe	29
PID 268 wrote to memory of 624	268	x2z8.exe	29
PID 268 wrote to memory of 624	268	x2z8.exe	29
PID 268 wrote to memory of 624	268	x2z8.exe	29
PID 268 wrote to memory of 624	268	x2z8.exe	29

C:\Users\Admin\AppData\Local\Temp\af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe
"C:\Users\Admin\AppData\Local\Temp\af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe
  C:\Users\Admin\AppData\Local\Temp\af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0.exe
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
    C:\Users\Admin\AppData\Local\Temp\\x2z8.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Users\Admin\AppData\Local\Temp\x2z8.exe
      C:\Users\Admin\AppData\Local\Temp\x2z8.exe
      4⤵
      Executes dropped EXE
      Deletes itself
      Writes to the Master Boot Record (MBR)
      Suspicious use of AdjustPrivilegeToken
      PID:624

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fpath.txt

Filesize
102B

MD5
f6117a4355a2444def50dcf5e7c50776

SHA1
f29e910fc955d8d00b5d2dd349e355be41bc07d0

SHA256
79c6e724680eecbc84d3a4b3ca0e9017c7e5aa47faa7c703f770a5c0c606be1c

SHA512
abd494ff7b18a82cb501c08f4e22b25ed574b14a1825eeaef9d7f273b63c6c5330ae77a050bd1f1a471c6543a2cccbfa36bf1f1a95bbbd385418c530e2ba9932

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
423KB

MD5
fb4885cc483fa50716c9f17f80ae3f18

SHA1
1708e68a0d359902fe836b14f0e13bc69706390b

SHA256
af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0

SHA512
8e47abb1cccf247646d3523ba5a0a19c8d878a3aed3b71917468d01de6fef4d32474279c60b89ae8b5e7f4d81632b6f0bfcdc89e00931bbbd008454100364848

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
423KB

MD5
fb4885cc483fa50716c9f17f80ae3f18

SHA1
1708e68a0d359902fe836b14f0e13bc69706390b

SHA256
af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0

SHA512
8e47abb1cccf247646d3523ba5a0a19c8d878a3aed3b71917468d01de6fef4d32474279c60b89ae8b5e7f4d81632b6f0bfcdc89e00931bbbd008454100364848

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
423KB

MD5
fb4885cc483fa50716c9f17f80ae3f18

SHA1
1708e68a0d359902fe836b14f0e13bc69706390b

SHA256
af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0

SHA512
8e47abb1cccf247646d3523ba5a0a19c8d878a3aed3b71917468d01de6fef4d32474279c60b89ae8b5e7f4d81632b6f0bfcdc89e00931bbbd008454100364848

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
423KB

MD5
fb4885cc483fa50716c9f17f80ae3f18

SHA1
1708e68a0d359902fe836b14f0e13bc69706390b

SHA256
af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0

SHA512
8e47abb1cccf247646d3523ba5a0a19c8d878a3aed3b71917468d01de6fef4d32474279c60b89ae8b5e7f4d81632b6f0bfcdc89e00931bbbd008454100364848

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
423KB

MD5
fb4885cc483fa50716c9f17f80ae3f18

SHA1
1708e68a0d359902fe836b14f0e13bc69706390b

SHA256
af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0

SHA512
8e47abb1cccf247646d3523ba5a0a19c8d878a3aed3b71917468d01de6fef4d32474279c60b89ae8b5e7f4d81632b6f0bfcdc89e00931bbbd008454100364848

Download Submit
\Users\Admin\AppData\Local\Temp\x2z8.exe

Filesize
423KB

MD5
fb4885cc483fa50716c9f17f80ae3f18

SHA1
1708e68a0d359902fe836b14f0e13bc69706390b

SHA256
af21771c43e4329e3d3708f7a9584d9eb5a78733b8262e6cc5b5b9cd497b13d0

SHA512
8e47abb1cccf247646d3523ba5a0a19c8d878a3aed3b71917468d01de6fef4d32474279c60b89ae8b5e7f4d81632b6f0bfcdc89e00931bbbd008454100364848

Download Submit
memory/268-69-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/624-82-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/872-54-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/872-62-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1516-83-0x000007FEFBA21000-0x000007FEFBA23000-memory.dmp

Filesize
8KB

Download
memory/1740-59-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1740-68-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1740-63-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1740-57-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1740-56-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1740-55-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

Errors