9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078

General

Target

9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe
Size

493KB
MD5

478d9003d522e53259e978657f46ed44
SHA1

5346a5bd0d8bf00edce370f0aebb35ca402e3c54
SHA256

9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078
SHA512

017c072df2ada3d83ab8f4a3cc6ec65307d4fcb302916e6e859249e8b9c0acc3d9eb5373a7875d5e3f55cabf136ad8193a0bce450270caeb9a47f8f626ae4cfd
SSDEEP

12288:ipScQ8YwSG8AdVegF68XkjcxVNtTirdTG:i838PC1xKkjgTEd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1464	Hacker.com.cn.exe

Deletes itself 1 IoCs

pid	Process
764	cmd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe
File opened for modification	\??\PhysicalDrive0	Hacker.com.cn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe
File created	C:\Windows\GUOCYOKl.BAT	9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe
Token: SeDebugPrivilege	1464	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1464	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1652	1464	Hacker.com.cn.exe	28
PID 1464 wrote to memory of 1652	1464	Hacker.com.cn.exe	28
PID 1464 wrote to memory of 1652	1464	Hacker.com.cn.exe	28
PID 1464 wrote to memory of 1652	1464	Hacker.com.cn.exe	28
PID 1140 wrote to memory of 764	1140	9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe	29
PID 1140 wrote to memory of 764	1140	9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe	29
PID 1140 wrote to memory of 764	1140	9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe	29
PID 1140 wrote to memory of 764	1140	9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe	29

C:\Users\Admin\AppData\Local\Temp\9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe
"C:\Users\Admin\AppData\Local\Temp\9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\GUOCYOKl.BAT
  2⤵
  - Deletes itself
  PID:764

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GUOCYOKl.BAT

Filesize
254B

MD5
bdc40b273ea1c25d4db0d4c3af740b11

SHA1
143ea15a3d07b6f21cd52dd8b3dab9a91b76a10c

SHA256
008dff809e7e1bf5f167154614ae64705aff702ed08fe73016616f8a77e75ea0

SHA512
510b8696ea902e40db6e728cbd05c3e125326eae586ace022d9ad480669b61736d4f1ce3d04476bc34d6fd8dcdc26df45f52ea4bee4ca87bce929ceb1163516e

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
493KB

MD5
478d9003d522e53259e978657f46ed44

SHA1
5346a5bd0d8bf00edce370f0aebb35ca402e3c54

SHA256
9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078

SHA512
017c072df2ada3d83ab8f4a3cc6ec65307d4fcb302916e6e859249e8b9c0acc3d9eb5373a7875d5e3f55cabf136ad8193a0bce450270caeb9a47f8f626ae4cfd

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
493KB

MD5
478d9003d522e53259e978657f46ed44

SHA1
5346a5bd0d8bf00edce370f0aebb35ca402e3c54

SHA256
9388296661994b856dadf96a563839040b0ee39456685a2b3f4a880f3e29a078

SHA512
017c072df2ada3d83ab8f4a3cc6ec65307d4fcb302916e6e859249e8b9c0acc3d9eb5373a7875d5e3f55cabf136ad8193a0bce450270caeb9a47f8f626ae4cfd

Download Submit
memory/1140-57-0x0000000001E90000-0x0000000001E94000-memory.dmp

Filesize
16KB

Download
memory/1140-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1140-56-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1140-62-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1140-63-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1140-55-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1464-64-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1464-65-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download
memory/1464-67-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1464-68-0x00000000003A0000-0x00000000003E3000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing