4ec225b822f1fbb27944ff3cb2856ba214de405d2a7589abfa3bd080c1534ac4

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ő (en).exe
Size

13.2MB
MD5

6d68a0c760fc1547a9d9cd3ac25769dc
SHA1

aebfda195faa08af0752c4310538ae044416030b
SHA256

4ec225b822f1fbb27944ff3cb2856ba214de405d2a7589abfa3bd080c1534ac4
SHA512

ae45a2334f83562902d5549eddcb3475fd02685ee60401f736ed7e4b0d5a83a1f7566224059d5b28dc4b7e6dae0a9cab23f5629a5839b53c1be6e13e2b474f1a
SSDEEP

393216:WRP9XCHT+X/A8chntmnTTxhuDoDpY2nbh9gwSI:8l6e4nnt6LuE1/dhSI

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ő (en).exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	HeadFile.exe

Executes dropped EXE 9 IoCs

pid	Process
3356	HeadFile.exe
344	MBR.exe
2124	nepovezlo.exe
4432	Sound.exe
400	ErrorDraw.exe
3108	ErrorDraw.exe
3364	RandButton.exe
1168	Pixels.exe
2948	Glitch3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2112	taskkill.exe
1952	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	620	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	620	AUDIODG.EXE
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2124	nepovezlo.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe
2124	nepovezlo.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3356	3148	ő (en).exe	84
PID 3148 wrote to memory of 3356	3148	ő (en).exe	84
PID 3148 wrote to memory of 3356	3148	ő (en).exe	84
PID 3356 wrote to memory of 344	3356	HeadFile.exe	86
PID 3356 wrote to memory of 344	3356	HeadFile.exe	86
PID 3356 wrote to memory of 344	3356	HeadFile.exe	86
PID 3356 wrote to memory of 2124	3356	HeadFile.exe	94
PID 3356 wrote to memory of 2124	3356	HeadFile.exe	94
PID 3356 wrote to memory of 2124	3356	HeadFile.exe	94
PID 3356 wrote to memory of 4432	3356	HeadFile.exe	95
PID 3356 wrote to memory of 4432	3356	HeadFile.exe	95
PID 3356 wrote to memory of 4432	3356	HeadFile.exe	95
PID 3356 wrote to memory of 400	3356	HeadFile.exe	97
PID 3356 wrote to memory of 400	3356	HeadFile.exe	97
PID 3356 wrote to memory of 400	3356	HeadFile.exe	97
PID 3356 wrote to memory of 3108	3356	HeadFile.exe	98
PID 3356 wrote to memory of 3108	3356	HeadFile.exe	98
PID 3356 wrote to memory of 3108	3356	HeadFile.exe	98
PID 3356 wrote to memory of 3364	3356	HeadFile.exe	99
PID 3356 wrote to memory of 3364	3356	HeadFile.exe	99
PID 3356 wrote to memory of 3364	3356	HeadFile.exe	99
PID 3356 wrote to memory of 1168	3356	HeadFile.exe	102
PID 3356 wrote to memory of 1168	3356	HeadFile.exe	102
PID 3356 wrote to memory of 1168	3356	HeadFile.exe	102
PID 3356 wrote to memory of 2112	3356	HeadFile.exe	103
PID 3356 wrote to memory of 2112	3356	HeadFile.exe	103
PID 3356 wrote to memory of 2112	3356	HeadFile.exe	103
PID 3356 wrote to memory of 1952	3356	HeadFile.exe	104
PID 3356 wrote to memory of 1952	3356	HeadFile.exe	104
PID 3356 wrote to memory of 1952	3356	HeadFile.exe	104
PID 3356 wrote to memory of 2948	3356	HeadFile.exe	108
PID 3356 wrote to memory of 2948	3356	HeadFile.exe	108
PID 3356 wrote to memory of 2948	3356	HeadFile.exe	108

C:\Users\Admin\AppData\Local\Temp\ő (en).exe
"C:\Users\Admin\AppData\Local\Temp\ő (en).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\HeadFile.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HeadFile.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\MBR.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MBR.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\nepovezlo.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\nepovezlo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2124
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Sound.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Sound.exe"
    3⤵
    - Executes dropped EXE
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ErrorDraw.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ErrorDraw.exe"
    3⤵
    - Executes dropped EXE
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ErrorDraw.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ErrorDraw.exe"
    3⤵
    - Executes dropped EXE
    PID:3108
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RandButton.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RandButton.exe"
    3⤵
    - Executes dropped EXE
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pixels.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pixels.exe"
    3⤵
    - Executes dropped EXE
    PID:1168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM Pixels.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\SysWOW64\taskkill.exe
    C:\Windows\System32\taskkill.exe /F /IM Pixels.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Glitch3.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Glitch3.exe"
    3⤵
    - Executes dropped EXE
    PID:2948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x38c 0x3f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ErrorDraw.exe

Filesize
50KB

MD5
a33738d657aee7723671f84ccc528337

SHA1
ffe321129e9337233124f08458ff8b43401b33ae

SHA256
2791ee8466397f7bd025a992245eb0ad470835dba158a019cc9e5cd151d167cb

SHA512
2eefe11a2ce30486a1c356fcd172754624e39a89b3687370258b48d2bf8e805100b9990635d742141d2a51fb7fcb3da70521e548071547348fd251226433fcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ErrorDraw.exe

Filesize
50KB

MD5
a33738d657aee7723671f84ccc528337

SHA1
ffe321129e9337233124f08458ff8b43401b33ae

SHA256
2791ee8466397f7bd025a992245eb0ad470835dba158a019cc9e5cd151d167cb

SHA512
2eefe11a2ce30486a1c356fcd172754624e39a89b3687370258b48d2bf8e805100b9990635d742141d2a51fb7fcb3da70521e548071547348fd251226433fcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ErrorDraw.exe

Filesize
50KB

MD5
a33738d657aee7723671f84ccc528337

SHA1
ffe321129e9337233124f08458ff8b43401b33ae

SHA256
2791ee8466397f7bd025a992245eb0ad470835dba158a019cc9e5cd151d167cb

SHA512
2eefe11a2ce30486a1c356fcd172754624e39a89b3687370258b48d2bf8e805100b9990635d742141d2a51fb7fcb3da70521e548071547348fd251226433fcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Glitch3.exe

Filesize
50KB

MD5
46ef36a6d2993e839dddcc6976105350

SHA1
8adf8fb1348b8fc14bf434e33604d21e5648ce8d

SHA256
35db60d597e047793d24db554885671258f5684e7b6816ddc9cbdf153e1502fa

SHA512
119322ff3c4327c84e02181297b708ce56552001193aae8caef6b9c93eaad3c35752720f1e06df483e889ef675d6859b6b957de86ba243dc408b7629194f876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Glitch3.exe

Filesize
50KB

MD5
46ef36a6d2993e839dddcc6976105350

SHA1
8adf8fb1348b8fc14bf434e33604d21e5648ce8d

SHA256
35db60d597e047793d24db554885671258f5684e7b6816ddc9cbdf153e1502fa

SHA512
119322ff3c4327c84e02181297b708ce56552001193aae8caef6b9c93eaad3c35752720f1e06df483e889ef675d6859b6b957de86ba243dc408b7629194f876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HeadFile.exe

Filesize
360KB

MD5
aab8e05f4df037cffc1b9e3412fe277b

SHA1
4add73001060c13b3188fd9becc8b4607e451749

SHA256
1bea1f9ac11ccdf79cfd98003b6a9be5ce232d8fce18986d891ab67ca796e183

SHA512
abc8f71c1732945b9145993900a2b33d26c0d712eb17182bb76678db34d6ee3c344341d65114454dcc727b51a8af618785d50ecce7e4a0c31a1bdd3ac5b4bf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HeadFile.exe

Filesize
360KB

MD5
aab8e05f4df037cffc1b9e3412fe277b

SHA1
4add73001060c13b3188fd9becc8b4607e451749

SHA256
1bea1f9ac11ccdf79cfd98003b6a9be5ce232d8fce18986d891ab67ca796e183

SHA512
abc8f71c1732945b9145993900a2b33d26c0d712eb17182bb76678db34d6ee3c344341d65114454dcc727b51a8af618785d50ecce7e4a0c31a1bdd3ac5b4bf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HeadFile.exe

Filesize
360KB

MD5
aab8e05f4df037cffc1b9e3412fe277b

SHA1
4add73001060c13b3188fd9becc8b4607e451749

SHA256
1bea1f9ac11ccdf79cfd98003b6a9be5ce232d8fce18986d891ab67ca796e183

SHA512
abc8f71c1732945b9145993900a2b33d26c0d712eb17182bb76678db34d6ee3c344341d65114454dcc727b51a8af618785d50ecce7e4a0c31a1bdd3ac5b4bf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MBR.exe

Filesize
48KB

MD5
f13248b7d74e5c344170aa70e16470a3

SHA1
c08fe5cb43b0b8477f27bce022c3aad63278b42a

SHA256
c1c12b39151120565f3f4212064cae26c4cc65970bdeefed370cb2fc1c3a4bb4

SHA512
c518f10a40d3393582933c4bcd80e78354116b82f2a819717214261841aea057fe797ed0f9c2d180b21cf876cff4b4603158ffc3120ee440a6274c925f07c817

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MBR.exe

Filesize
48KB

MD5
f13248b7d74e5c344170aa70e16470a3

SHA1
c08fe5cb43b0b8477f27bce022c3aad63278b42a

SHA256
c1c12b39151120565f3f4212064cae26c4cc65970bdeefed370cb2fc1c3a4bb4

SHA512
c518f10a40d3393582933c4bcd80e78354116b82f2a819717214261841aea057fe797ed0f9c2d180b21cf876cff4b4603158ffc3120ee440a6274c925f07c817

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pixels.exe

Filesize
57KB

MD5
ea100daa0f7d4a46853304836025e434

SHA1
d6d5410f886edfdee94cd0cb711ea751dacf168a

SHA256
dd3585de3eb2bece737cd0766617cd412a3c63e2dd1e9f25b75e25750992b715

SHA512
af506bcbbe033b00362f8ab2751a1617129b01353a05ce0eb320efba81167d9a98a709dbe8497301e3fa055c4ee433c3f854c8adad4a7968e609f7a3ae4ffe5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pixels.exe

Filesize
57KB

MD5
ea100daa0f7d4a46853304836025e434

SHA1
d6d5410f886edfdee94cd0cb711ea751dacf168a

SHA256
dd3585de3eb2bece737cd0766617cd412a3c63e2dd1e9f25b75e25750992b715

SHA512
af506bcbbe033b00362f8ab2751a1617129b01353a05ce0eb320efba81167d9a98a709dbe8497301e3fa055c4ee433c3f854c8adad4a7968e609f7a3ae4ffe5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RandButton.exe

Filesize
359KB

MD5
9f7bd2ef2de05cd3cba7a66068876516

SHA1
39d6881b841dda047e1d5457bf727a7fe080e7c0

SHA256
152104e3dbecee575acd5358b48679713a4b18a913a005249d074f312d3afb0d

SHA512
9c2241ace19770f228be1386488b4994ae32d42bd50cf394ea8bf8716cc2f42394d6e7cf32c9960be64d8f5812014194ae3d24d55a1a9ddc22fa74cf823c83c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RandButton.exe

Filesize
359KB

MD5
9f7bd2ef2de05cd3cba7a66068876516

SHA1
39d6881b841dda047e1d5457bf727a7fe080e7c0

SHA256
152104e3dbecee575acd5358b48679713a4b18a913a005249d074f312d3afb0d

SHA512
9c2241ace19770f228be1386488b4994ae32d42bd50cf394ea8bf8716cc2f42394d6e7cf32c9960be64d8f5812014194ae3d24d55a1a9ddc22fa74cf823c83c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Sound.exe

Filesize
359KB

MD5
5a8d72063530284c2341b1a05d9604c7

SHA1
9f665c9ac191b2afbefe47b63b8343ff965f7288

SHA256
2cc3da35bc5fd89ed1214f34094d2c6b98ea105ee525d454f6d8d16657f1acac

SHA512
6e152c351ef55d53f47d4077199557ab1256cc883450a039940ae2864f28ec2aa114afae272af1192a3e4df607560d2f5a8954765cc5ff54ea57e1284be6ff87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Sound.exe

Filesize
359KB

MD5
5a8d72063530284c2341b1a05d9604c7

SHA1
9f665c9ac191b2afbefe47b63b8343ff965f7288

SHA256
2cc3da35bc5fd89ed1214f34094d2c6b98ea105ee525d454f6d8d16657f1acac

SHA512
6e152c351ef55d53f47d4077199557ab1256cc883450a039940ae2864f28ec2aa114afae272af1192a3e4df607560d2f5a8954765cc5ff54ea57e1284be6ff87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gl.wav

Filesize
14.8MB

MD5
ed830af08f72d0156d7efcbb8668cdd7

SHA1
3ef480a6ff07416835143b50706351dcd3d4a2ca

SHA256
583fe6351dfeccacd769b4a67a573b010a44cd3523f51ce7ee6f0c51e5853086

SHA512
b8730e156e1eb2a87cea51722be5aaf6b98759ae061bb328c4bb5c076011d4cb89351dbea989d010cf45f0021126af76611b086b9bb9bea67041f8bbe40c3ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nepovezlo.exe

Filesize
700KB

MD5
7b8d687cbcc6880438923266283bba37

SHA1
9dd61cd56101b7f810f6c65d0e27922539580123

SHA256
e47d9f227d4637d10482072f28843d32fb8c9ce061f4a1a5636dfdaefedc81aa

SHA512
0ab314fdc880bcf575818c42d65b9fcfa3a94813b254a859594dcad3602a35f7a5a41a50b06f71d889092027da87fe220c485766a90936876f3b243c623ecfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nepovezlo.exe

Filesize
700KB

MD5
7b8d687cbcc6880438923266283bba37

SHA1
9dd61cd56101b7f810f6c65d0e27922539580123

SHA256
e47d9f227d4637d10482072f28843d32fb8c9ce061f4a1a5636dfdaefedc81aa

SHA512
0ab314fdc880bcf575818c42d65b9fcfa3a94813b254a859594dcad3602a35f7a5a41a50b06f71d889092027da87fe220c485766a90936876f3b243c623ecfcf

Download Submit
memory/344-171-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/400-198-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1168-217-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-226-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3108-203-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3356-172-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3356-173-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3364-199-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/3364-216-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3364-211-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3364-204-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3364-225-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4432-186-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4432-184-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download