36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa

General

Target

36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe
Size

3.0MB
MD5

dd60ed970e7b840688eaa33901d23a2a
SHA1

d1bbbba77ee88789ba026737e6fd2300e1c230ab
SHA256

36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa
SHA512

428b793b5a6c1697ba0883581122eb480353aef349ad03733ed2e7fdcecfc3c0ee87565714c45c678a2d4e0659ebd93d84480294301153b8656fe61f9336a069
SSDEEP

49152:WH5lTSK1Rxg5hywNnYuqu3VTAhBfNkwtUuxqE3TKcrGzKEEIhf31jLa:WH5ZN1RxwEAnYJKqfN5tUuxOK8313a

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Au_.exe

pid process

1828 Au_.exe
Loads dropped DLL 3 IoCs

Processes:

36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exeAu_.exe

pid process

1144 36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe
1828 Au_.exe
1828 Au_.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Au_.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Au_.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Au_.exe

pid process

1828 Au_.exe
1828 Au_.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Au_.exe

pid process

1828 Au_.exe
1828 Au_.exe

pid	process
1828	Au_.exe

pid	process
1144	36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe
1828	Au_.exe
1828	Au_.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Au_.exe

pid	process
1828	Au_.exe
1828	Au_.exe

pid	process
1828	Au_.exe
1828	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe

description	pid	process	target process
PID 1144 wrote to memory of 1828	1144	36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe	Au_.exe
PID 1144 wrote to memory of 1828	1144	36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe	Au_.exe
PID 1144 wrote to memory of 1828	1144	36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe	Au_.exe
PID 1144 wrote to memory of 1828	1144	36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe	Au_.exe

C:\Users\Admin\AppData\Local\Temp\36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe
"C:\Users\Admin\AppData\Local\Temp\36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi122B.tmp\insthelper.dll

Filesize
2.7MB

MD5
a6ecb533bd7515d38307ad73f3f51c18

SHA1
5fcc54d06e45a071184f83ccb94d6c8e0f051496

SHA256
c0c0f5e092c858144697d24670e7d6636a8dbe2e5d38655cd5726d0f9e5229ff

SHA512
17883811bd107f766ca3a911232bf04316bdbbd365223295054fb89ecb78197feaceb3f5cc27baa3e87140db73f03d36b5175b5001bb39fc49577c68c0156d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi122B.tmp\res\skin\btn_close.png

Filesize
1KB

MD5
d6d22365523a1dd214388b5335366ae4

SHA1
8a0f196a3a728bef47a3aeb07cff55259d76aba5

SHA256
141a2c83dd24e39b9f9e15e30b9a6bc860aeb36ed42e945ab35107c9f75ea285

SHA512
f606065c3f8b61398820de73d8d6b0e803be321e6859af25037eabe68f01a34c894e0809f785426d2f9e6c8246e9fc2aef34190b9f9e122acc2cef3c99f46168

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
3.0MB

MD5
dd60ed970e7b840688eaa33901d23a2a

SHA1
d1bbbba77ee88789ba026737e6fd2300e1c230ab

SHA256
36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa

SHA512
428b793b5a6c1697ba0883581122eb480353aef349ad03733ed2e7fdcecfc3c0ee87565714c45c678a2d4e0659ebd93d84480294301153b8656fe61f9336a069

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
3.0MB

MD5
dd60ed970e7b840688eaa33901d23a2a

SHA1
d1bbbba77ee88789ba026737e6fd2300e1c230ab

SHA256
36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa

SHA512
428b793b5a6c1697ba0883581122eb480353aef349ad03733ed2e7fdcecfc3c0ee87565714c45c678a2d4e0659ebd93d84480294301153b8656fe61f9336a069

Download Submit
\Users\Admin\AppData\Local\Temp\nsi122B.tmp\System.dll

Filesize
22KB

MD5
a321954c01a0fe650a9f73975243e22f

SHA1
cbdaadb3f5183a50cfba66be70249f54d6dfda57

SHA256
5e3cabdfdffbaaf3a43c9b8fb8eeae99f818ff9f8c0a9ab7c516b9393fa552de

SHA512
cdc5a3c270da0717c301492581687685bd2d7399d4166371d74886722009f6a8e93670c631230ae6fa35121c049ca38d94b27d5e52d6d95cda68fc6d0ba229a7

Download Submit
\Users\Admin\AppData\Local\Temp\nsi122B.tmp\insthelper.dll

Filesize
2.7MB

MD5
a6ecb533bd7515d38307ad73f3f51c18

SHA1
5fcc54d06e45a071184f83ccb94d6c8e0f051496

SHA256
c0c0f5e092c858144697d24670e7d6636a8dbe2e5d38655cd5726d0f9e5229ff

SHA512
17883811bd107f766ca3a911232bf04316bdbbd365223295054fb89ecb78197feaceb3f5cc27baa3e87140db73f03d36b5175b5001bb39fc49577c68c0156d93

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
3.0MB

MD5
dd60ed970e7b840688eaa33901d23a2a

SHA1
d1bbbba77ee88789ba026737e6fd2300e1c230ab

SHA256
36a2c605f21c340257c07271d7e710014b96cad761bd4e68e69dc467eced5eaa

SHA512
428b793b5a6c1697ba0883581122eb480353aef349ad03733ed2e7fdcecfc3c0ee87565714c45c678a2d4e0659ebd93d84480294301153b8656fe61f9336a069

Download Submit

Analysis

Sharing