57f5bdbf3437b84b8f2c6b5fd58e7a157077666e0822d2d498a9db161e818b94

General

Target

57f5bdbf3437b84b8f2c6b5fd58e7a157077666e0822d2d498a9db161e818b94.exe
Size

725KB
MD5

e917362f0e5956d0198f2b320fe12332
SHA1

b06acf5f9ff02aea07976a4bd56139d51ac769db
SHA256

57f5bdbf3437b84b8f2c6b5fd58e7a157077666e0822d2d498a9db161e818b94
SHA512

488e4fef7ac8037d707be3a8c95e346601721de35d117d88d578bd41420291cf6c7c74eab564439dc4e7aaaba9b976bb2d58db174446eb77e8def8b761950c9c
SSDEEP

12288:7CatIwPtT2lwPtT2VpmxqDbHks2XnFxXKdOUzD1Duc18Wy:7zVPtT2OPtT2VpmUHU3F4Tzlu/

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1768	bootinst.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
2468	attrib.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	57f5bdbf3437b84b8f2c6b5fd58e7a157077666e0822d2d498a9db161e818b94.exe
File opened (read-only)	\??\E:	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1776	3144	57f5bdbf3437b84b8f2c6b5fd58e7a157077666e0822d2d498a9db161e818b94.exe	76
PID 3144 wrote to memory of 1776	3144	57f5bdbf3437b84b8f2c6b5fd58e7a157077666e0822d2d498a9db161e818b94.exe	76
PID 3144 wrote to memory of 1776	3144	57f5bdbf3437b84b8f2c6b5fd58e7a157077666e0822d2d498a9db161e818b94.exe	76
PID 1776 wrote to memory of 2468	1776	cmd.exe	78
PID 1776 wrote to memory of 2468	1776	cmd.exe	78
PID 1776 wrote to memory of 2468	1776	cmd.exe	78
PID 1776 wrote to memory of 1768	1776	cmd.exe	79
PID 1776 wrote to memory of 1768	1776	cmd.exe	79
PID 1776 wrote to memory of 1768	1776	cmd.exe	79
PID 1776 wrote to memory of 1340	1776	cmd.exe	80
PID 1776 wrote to memory of 1340	1776	cmd.exe	80
PID 1776 wrote to memory of 1340	1776	cmd.exe	80
PID 1776 wrote to memory of 1532	1776	cmd.exe	82
PID 1776 wrote to memory of 1532	1776	cmd.exe	82
PID 1776 wrote to memory of 1532	1776	cmd.exe	82
PID 1776 wrote to memory of 4992	1776	cmd.exe	84
PID 1776 wrote to memory of 4992	1776	cmd.exe	84
PID 1776 wrote to memory of 4992	1776	cmd.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2468	attrib.exe

C:\Users\Admin\AppData\Local\Temp\57f5bdbf3437b84b8f2c6b5fd58e7a157077666e0822d2d498a9db161e818b94.exe
"C:\Users\Admin\AppData\Local\Temp\57f5bdbf3437b84b8f2c6b5fd58e7a157077666e0822d2d498a9db161e818b94.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy C:\Users\Admin\AppData\Roaming\win7Res\grldr E:\grldr / b>NUL 2>NUL &attrib E:\grldr +h +s +r &C:\Users\Admin\AppData\Roaming\win7Res\bootinst /nt60 E: &cscript C:\Windows\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms &cscript C:\Windows\system32\slmgr.vbs -ipk 49PB6-6BJ6Y-KHGCQ-7DDY6-TF7CD &C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\attrib.exe
    attrib E:\grldr +h +s +r
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2468
- - C:\Users\Admin\AppData\Roaming\win7Res\bootinst.exe
    C:\Users\Admin\AppData\Roaming\win7Res\bootinst /nt60 E:
    3⤵
    - Executes dropped EXE
    PID:1768
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Windows\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Windows\system32\slmgr.vbs -ipk 49PB6-6BJ6Y-KHGCQ-7DDY6-TF7CD
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms

Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\Users\Admin\AppData\Roaming\win7Res\bootinst.exe

Filesize
85KB

MD5
70c5f6f69cdc6c5b8240622cf7d90380

SHA1
d7fa00497a3d3279b547dfc913e23052b9287060

SHA256
d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be

SHA512
447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798

Download Submit
C:\Users\Admin\AppData\Roaming\win7Res\bootinst.exe

Filesize
85KB

MD5
70c5f6f69cdc6c5b8240622cf7d90380

SHA1
d7fa00497a3d3279b547dfc913e23052b9287060

SHA256
d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be

SHA512
447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798

Download Submit
C:\Users\Admin\AppData\Roaming\win7Res\grldr

Filesize
199KB

MD5
560b738b2357d5a92190d4ddf2966991

SHA1
5d3ed31bd12c97eadc594bcf10e758a67c4e7552

SHA256
38c658da9d95ef05fea051054f021bfbfed67b7aff32a996a4b32edc9f31c287

SHA512
7a25caacf68367a64d81fdb5a5629cb60dbca4425b27987d0c0885da0bfbfd410f0ea77810552a00601bcb32855f575a00082c9c4fbb78a591d0cc24ad09ecf3

Download Submit
\??\E:\grldr

Filesize
199KB

MD5
560b738b2357d5a92190d4ddf2966991

SHA1
5d3ed31bd12c97eadc594bcf10e758a67c4e7552

SHA256
38c658da9d95ef05fea051054f021bfbfed67b7aff32a996a4b32edc9f31c287

SHA512
7a25caacf68367a64d81fdb5a5629cb60dbca4425b27987d0c0885da0bfbfd410f0ea77810552a00601bcb32855f575a00082c9c4fbb78a591d0cc24ad09ecf3

Download Submit
memory/1340-140-0x0000000000000000-mapping.dmp

Download
memory/1532-142-0x0000000000000000-mapping.dmp

Download
memory/1768-137-0x0000000000000000-mapping.dmp

Download
memory/1776-133-0x0000000000000000-mapping.dmp

Download
memory/2468-135-0x0000000000000000-mapping.dmp

Download
memory/3144-132-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3144-143-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3144-145-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4992-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads