7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c

General

Target

tmp.exe
Size

32.5MB
MD5

40462cb1d8678ec6103aa71655f15fe1
SHA1

be4a958b79ab7c410b51911e272ec3e2e04f4ed7
SHA256

7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c
SHA512

2f4777b6104ce04baf2009e36bc3048ecc3deefa342d12f9ebfaeaa1eb6db36fb4600915fd3b52d0764e609527778150e1a1c8b0f227372458997dbdca439af5
SSDEEP

786432:RNhjKQH/s50/ChVnfAz/DCGEBqscfa+IWpSxk8unu/3T7nrNtm:vhjKQHA0/yVnIz/H3fJnpKSu/TVc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
228	tmp.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\A:	tmp.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\Y:	tmp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	tmp.exe
File opened for modification	\??\PHYSICALDRIVE0	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4940	3576	WerFault.exe	84
3176	228	WerFault.exe	91

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	228	tmp.exe
Token: SeCreatePagefilePrivilege	228	tmp.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3576	tmp.exe
3576	tmp.exe
3576	tmp.exe
228	tmp.exe
228	tmp.exe
228	tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 228	3576	tmp.exe	91
PID 3576 wrote to memory of 228	3576	tmp.exe	91
PID 3576 wrote to memory of 228	3576	tmp.exe	91

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 192
  2⤵
  - Program crash
  PID:4940
- F:\ÏÐÔÆ³ÁÄ¬\tmp.exe
  F:\ÏÐÔÆ³ÁÄ¬\tmp.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 240
    3⤵
    - Program crash
    PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3576 -ip 3576
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 228 -ip 228
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2K9QMOPD\20221203[1].htm

Filesize
2KB

MD5
b74044159bc87d1e9b0053b05ee8c13b

SHA1
bdfd7cbcc86f3b900344754e1da6cd22d15f1b9a

SHA256
e6f5617910b0ae36ee54ee66aa80915372615a385e825b769b6660213d7c0f4b

SHA512
75878a30633bc68819ec014224adc9c2e8fcd11901a728bda8ef596275ac28d34d4de1144f45245429f9c0e2e83e6498c91514f27e038b745a45ada7e5575c43

Download Submit
C:\Users\Admin\Desktop\ÏÐÔÆ³ÁÄ¬v2x.lnk

Filesize
1KB

MD5
0c823a27daf4bcafdee2ac72af899b09

SHA1
ee2eedb68d26c271b122e9868906165ff0390848

SHA256
21f4dd2f0d35dca8c8d943ef22b7e8e9d82a650bdc5803bdceaa44ad5a90b666

SHA512
0a08b8d2d63583c3c185b9bc93f9ac8dc2154ade245f781c1e63a2b10133f8ba48c6f15e4089f9645bdd82c0a3d7c5bba04ae8e67446faab1b7f5036e8546dfd

Download Submit
F:\ÏÐÔÆ³ÁÄ¬\LoginFail.ini

Filesize
65B

MD5
af441ee6cc63a15272f02b63b41130bf

SHA1
23868ed627cdc35dc83bc25df29c32e0c2d07a09

SHA256
c6b9dd4898fae4007953e62330b7dd5444ed062dea4436298d23c6338f3317c9

SHA512
e8c2851f7cf9fedb0b706e76064b7bc19ecf14bd280902e5dce0d6092a2461280646f294d608965b42af9d618c70590171fe8fa6851d10a87ae92dcd4522879d

Download Submit
F:\ÏÐÔÆ³ÁÄ¬\LoginTemp.ini

Filesize
30B

MD5
9b2456363290ba7d3b58b22d66ce6a18

SHA1
43f3a27739354d6a21dab842e5910205eb7ebe6b

SHA256
95b5335823c05e3acf512d08169bf4cc9925d70e96b72e83b472cb55b094e218

SHA512
3eceb636eb660bf20d558a396a0ac186902974e9737354577b301765407c98c94f800c62083f6e648bd576da8a84e414919a7a99144b409befea5bb86b48cbba

Download Submit
F:\ÏÐÔÆ³ÁÄ¬\tmp.exe

Filesize
32.5MB

MD5
40462cb1d8678ec6103aa71655f15fe1

SHA1
be4a958b79ab7c410b51911e272ec3e2e04f4ed7

SHA256
7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c

SHA512
2f4777b6104ce04baf2009e36bc3048ecc3deefa342d12f9ebfaeaa1eb6db36fb4600915fd3b52d0764e609527778150e1a1c8b0f227372458997dbdca439af5

Download Submit
F:\ÏÐÔÆ³ÁÄ¬\tmp.exe

Filesize
32.5MB

MD5
40462cb1d8678ec6103aa71655f15fe1

SHA1
be4a958b79ab7c410b51911e272ec3e2e04f4ed7

SHA256
7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c

SHA512
2f4777b6104ce04baf2009e36bc3048ecc3deefa342d12f9ebfaeaa1eb6db36fb4600915fd3b52d0764e609527778150e1a1c8b0f227372458997dbdca439af5

Download Submit
memory/228-148-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/228-169-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/228-170-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/228-190-0x0000000000400000-0x0000000002D7D000-memory.dmp

Filesize
41.5MB

Download
memory/3576-142-0x0000000000400000-0x0000000002D7D000-memory.dmp

Filesize
41.5MB

Download
memory/3576-133-0x0000000000400000-0x0000000002D7D000-memory.dmp

Filesize
41.5MB

Download
memory/3576-134-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing