a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d

General

Target

a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Size

728KB
MD5

5ab58dfa5209060ebfda828b0f35d0a4
SHA1

9840ac6d20c1eb8c65fa7f0800365dd6bcac4d06
SHA256

a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d
SHA512

3bd591734dfb5deb522091f692b1e412998631c5757bed2d5b4223487ba808d9a0a9537cee17adbe324ca518ff739fd80bf037b6a4c81439df9edd3c9b8bd8dc
SSDEEP

12288:UaK9LotbL8oOu3zf+BQfBuG062RpSAoe+OjLJO+OjbLY+OjS7C+Oj+gQ+Ojw9E+i:UaqotGuwcBu7RToe+OjLJO+OjbLY+Ojk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1736	svchost.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
852	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KernelPort\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\acdev.sys"	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	svchost.exe
1736	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeSecurityPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeTakeOwnershipPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeLoadDriverPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeSystemProfilePrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeSystemtimePrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeProfSingleProcessPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeIncBasePriorityPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeCreatePagefilePrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeBackupPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeRestorePrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeShutdownPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeDebugPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeSystemEnvironmentPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeRemoteShutdownPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeUndockPrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: SeManageVolumePrivilege	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: 33	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: 34	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
Token: 35	1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
1552	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1736	1776	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe	27
PID 1776 wrote to memory of 1736	1776	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe	27
PID 1776 wrote to memory of 1736	1776	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe	27
PID 1776 wrote to memory of 1736	1776	a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe	27
PID 1736 wrote to memory of 1552	1736	svchost.exe	28
PID 1736 wrote to memory of 1552	1736	svchost.exe	28
PID 1736 wrote to memory of 1552	1736	svchost.exe	28
PID 1736 wrote to memory of 1552	1736	svchost.exe	28

C:\Users\Admin\AppData\Local\Temp\a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
"C:\Users\Admin\AppData\Local\Temp\a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe
    "C:\Users\Admin\AppData\Local\Temp\a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe"
    3⤵
    - Executes dropped EXE
    - Sets service image path in registry
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1552

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Filesize
693KB

MD5
a6a5d6c188985ac6a7eccab08216a830

SHA1
f33fde3f6fccd46284d63ccb922a95a237055ac5

SHA256
952e7245caeed4faf6adcbb469e9e90043c9e7d3305e4831be28a43d53cb4f77

SHA512
88fbfafce4daf14a59402538c9a6718b6d883952e28065fd0389b64df4ddfc34ab9df79a6678741bb17d755d0136bba973c7e444ba3289727af43fb14d116b97

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Filesize
693KB

MD5
a6a5d6c188985ac6a7eccab08216a830

SHA1
f33fde3f6fccd46284d63ccb922a95a237055ac5

SHA256
952e7245caeed4faf6adcbb469e9e90043c9e7d3305e4831be28a43d53cb4f77

SHA512
88fbfafce4daf14a59402538c9a6718b6d883952e28065fd0389b64df4ddfc34ab9df79a6678741bb17d755d0136bba973c7e444ba3289727af43fb14d116b97

Download Submit
\Users\Admin\AppData\Local\Temp\a4607b7016814586d9dc0409b00dd5e51a5a8e4749c12576c9a82db880d9512d.exe

Filesize
693KB

MD5
a6a5d6c188985ac6a7eccab08216a830

SHA1
f33fde3f6fccd46284d63ccb922a95a237055ac5

SHA256
952e7245caeed4faf6adcbb469e9e90043c9e7d3305e4831be28a43d53cb4f77

SHA512
88fbfafce4daf14a59402538c9a6718b6d883952e28065fd0389b64df4ddfc34ab9df79a6678741bb17d755d0136bba973c7e444ba3289727af43fb14d116b97

Download Submit
memory/1552-61-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1552-64-0x0000000000400000-0x0000000000A4A000-memory.dmp

Filesize
6.3MB

Download
memory/1552-66-0x0000000000400000-0x0000000000A4A000-memory.dmp

Filesize
6.3MB

Download
memory/1736-62-0x0000000002510000-0x0000000002B5A000-memory.dmp

Filesize
6.3MB

Download
memory/1736-63-0x0000000002510000-0x0000000002B5A000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing