3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9

General

Target

3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Size

2.2MB
MD5

3de7d38d7bc57fb141aa0bdf209a0a99
SHA1

08d57904a63095b69ad94e8db40653e7db9c7cb2
SHA256

3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9
SHA512

5d3985bf781db4fb7aef26105f9083c1efe92ae2e2f350c308cf3becacc050fddc12ccfb403ce8030d9ec558e1c28bb9ae0ee90e199f0bdbd7474cfd9fab0bcd
SSDEEP

49152:gi39+084E6W4W8Vm/BhlbXesYxJIiXN8tPSc:f+HVb4W8QflKs2JzXN8N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2312	~~1186375881052235639.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	~~1186375881052235639.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeRestorePrivilege	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeBackupPrivilege	2916	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeRestorePrivilege	2916	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	2916	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	2916	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeBackupPrivilege	3064	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeRestorePrivilege	3064	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	3064	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	3064	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2916	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	20
PID 2108 wrote to memory of 2916	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	20
PID 2108 wrote to memory of 2916	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	20
PID 2108 wrote to memory of 2916	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	20
PID 2108 wrote to memory of 2312	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	29
PID 2108 wrote to memory of 2312	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	29
PID 2108 wrote to memory of 2312	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	29
PID 2108 wrote to memory of 2312	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	29
PID 2108 wrote to memory of 3064	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	33
PID 2108 wrote to memory of 3064	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	33
PID 2108 wrote to memory of 3064	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	33
PID 2108 wrote to memory of 3064	2108	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	33
PID 3064 wrote to memory of 2072	3064	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	31
PID 3064 wrote to memory of 2072	3064	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	31
PID 3064 wrote to memory of 2072	3064	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	31
PID 3064 wrote to memory of 2072	3064	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	31

C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
"C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
  PECMD**pecmd-cmd* PUTF "C:\Users\Admin\AppData\Local\Temp\~~1186375881052235639.tmp.exe",,"C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe""#102|SCRIPT"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\~~1186375881052235639.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\~~1186375881052235639.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~7846608138979650493.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\~7846608138979650493.cmd"
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~7846608138979650493.cmd

Filesize
404B

MD5
b089ec33daf18abc9b3a7c368f0fc5e5

SHA1
a8316f3cb5af2acb25cfb1826bbf86a696b67f20

SHA256
bc5012c7b09e98879027d348c9f82410d41092c5fedf119e51c6bca7ad7f4fd7

SHA512
b0a765b1fd4f03ae40640717e51f7576e4d99add93cedb3fb6fdedbf3128bb409dfdd58772bb47884c8697acdb009b1c0ae6da061348ef68df8d3fe0dc0b28be

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~1186375881052235639.tmp.exe

Filesize
312KB

MD5
2ab0edb96104e7c85535ebb8f3ebde21

SHA1
9ebd416ff1e22c604ba9061ddd29e37434e348b9

SHA256
608ce64b35ad24a55fa44fbd2059743f0a6ecac8235bb05a78a3c86e3d8274dc

SHA512
3bb3803d49e462f501b5751ce5a92d2191846dc12db29910bf40d567cefbee6343d6c0e971f6053aa3c2d398b16054acd087d3a71d58df47dc8f4f39bc7516c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~1186375881052235639.tmp.exe

Filesize
375KB

MD5
963429e4a11f9ad35f16ffd1b087e75d

SHA1
2ba33f1d978e8750b83c601df88db9dbab4151ba

SHA256
d5ad42348ae82e8a390742f88be066d331cc0ef77f4554bcff60aa791c799be9

SHA512
019bd8cc63cd9dda08121b383f12aa4a9d1bbe179a6ecf9ce36b338c88b34d69b2c66e22f95ea3ee52eff18b9afe42f49978674281046a09e9dd714e52bf7ac9

Download Submit
\Users\Admin\AppData\Local\Temp\~~1186375881052235639.tmp.exe

Filesize
302KB

MD5
fdf665415e7bcb9bc2d8f078de39f74b

SHA1
8d5ed39a18f3f2fcb759fcb0fc58ebef62b2218d

SHA256
230473f690455e06a2068362e7cdf2a283c4c6ef0b88a6aed84ede39203ccc32

SHA512
2ba49b955f107992378b77913fce002a413405c946f3d42c7ac6c6aa7448a4c92430b626df704991ddda7be7fb70b6459c5a606a1bab0fffc85a843f8476d728

Download Submit
memory/2312-4-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-6-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/2312-5-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-7-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/2312-9-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-10-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2312-11-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads