0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2

Analysis

max time kernel
178s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 02:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
Size

1.7MB
MD5

17d80ba03e34e81f0bbe0e5b02a0ebb4
SHA1

169d4d0b4af64f28106ecb40212c2dc4c090e92a
SHA256

0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2
SHA512

1b283f8b581db43c00dc545b9e24f288c0315b0804056b7d7554db932fc9f2a137d1b2385a2731ddfac35264e59ca88c8230447c58774c02a08fbee407d5b4f8
SSDEEP

49152:E5lfUp//wgN5sf4smDFhS1z+VOmUYurwrn:E5lfU5/w+CwvpVxUYr

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 22 IoCs

pid	Process
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\haoi.dll	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
File opened for modification	C:\Windows\haoi.dll	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
3172	0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe

C:\Users\Admin\AppData\Local\Temp\0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe
"C:\Users\Admin\AppData\Local\Temp\0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\AtlImage.dll

Filesize
13KB

MD5
c1355a73323cfd1dd635e3af9249bda2

SHA1
efce237fcab7dc292c81f9153a62ac030e945aba

SHA256
678459c17a151048017293fd0124f5a8ad73f571b1be5367851954415d3d309d

SHA512
0e0f4c314f81e99ac0876ab83dcaf6efbdd411a671ee37928de4557add0d253ef4b3c08201c8da457a4a0f723e309bebf16fb087f5b15d9972a93f2df37dd01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C__Users_Admin_AppData_Local_Temp_0d8a1c06ea65acce47f756c19db19bd057ea24c254b67416f067b33f52153bc2\¹¤³ÌÎÄ¼þ\res\dll\ggdll.dll

Filesize
1.0MB

MD5
e905c81030394d7f6f5303c1722864b7

SHA1
1a6425d88eee2329ce3e12abfd96a5d658386e75

SHA256
6a2a100d3397487c323d1fa4a15157b69dc97c9025252a5a6b75f9a5c0bb103d

SHA512
37f7ddcf1971e109a0fe8bd7b132f71dd78bae780bd6bbd0415f702bbb0ba0eadaf35e15ac86b53738cd7acbd3bb824fe154d404f1a2971539b6fa7904fc00fb

Download Submit
C:\Windows\haoi.dll

Filesize
160KB

MD5
b31c03d9f4d28e6009637e5e06f05eb3

SHA1
a96f8c2e8a97d19e15be0d6abba11c380ece43eb

SHA256
0b53c47ddc88b7e3e5581446304c2c1bb3c9f71b09b75c8b0f70d63c8a08096d

SHA512
01aabdf55b4ffddb63c389e3ec4db9ba0699f45cc9ecfd948ea8994cf210b9a784699fdaef68d0fa81ca6df256681d08c3df9ed0447e015b1a0f1caddbb97851

Download Submit
C:\Windows\haoi.dll

Filesize
160KB

MD5
b31c03d9f4d28e6009637e5e06f05eb3

SHA1
a96f8c2e8a97d19e15be0d6abba11c380ece43eb

SHA256
0b53c47ddc88b7e3e5581446304c2c1bb3c9f71b09b75c8b0f70d63c8a08096d

SHA512
01aabdf55b4ffddb63c389e3ec4db9ba0699f45cc9ecfd948ea8994cf210b9a784699fdaef68d0fa81ca6df256681d08c3df9ed0447e015b1a0f1caddbb97851

Download Submit
memory/3172-136-0x00000000024D0000-0x00000000024FA000-memory.dmp

Filesize
168KB

Download