3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9

General

Target

3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Size

2.2MB
MD5

3de7d38d7bc57fb141aa0bdf209a0a99
SHA1

08d57904a63095b69ad94e8db40653e7db9c7cb2
SHA256

3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9
SHA512

5d3985bf781db4fb7aef26105f9083c1efe92ae2e2f350c308cf3becacc050fddc12ccfb403ce8030d9ec558e1c28bb9ae0ee90e199f0bdbd7474cfd9fab0bcd
SSDEEP

49152:gi39+084E6W4W8Vm/BhlbXesYxJIiXN8tPSc:f+HVb4W8QflKs2JzXN8N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
796	~~8387580194687823248.tmp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	~~8387580194687823248.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeRestorePrivilege	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeBackupPrivilege	4576	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeRestorePrivilege	4576	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	4576	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	4576	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeBackupPrivilege	3404	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeRestorePrivilege	3404	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: 33	3404	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
Token: SeIncBasePriorityPrivilege	3404	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4576	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	88
PID 5052 wrote to memory of 4576	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	88
PID 5052 wrote to memory of 4576	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	88
PID 5052 wrote to memory of 796	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	92
PID 5052 wrote to memory of 796	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	92
PID 5052 wrote to memory of 796	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	92
PID 5052 wrote to memory of 3404	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	96
PID 5052 wrote to memory of 3404	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	96
PID 5052 wrote to memory of 3404	5052	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	96
PID 3404 wrote to memory of 5044	3404	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	98
PID 3404 wrote to memory of 5044	3404	3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe	98

C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
"C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
  PECMD**pecmd-cmd* PUTF "C:\Users\Admin\AppData\Local\Temp\~~8387580194687823248.tmp.exe",,"C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe""#102|SCRIPT"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Users\Admin\AppData\Local\Temp\~~8387580194687823248.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\~~8387580194687823248.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:796
- C:\Users\Admin\AppData\Local\Temp\3a62bc2534e0a819b4cffc92488429d94a1487fed14153f6f3ad647ed3ae53e9.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~7895713197673514593.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~7895713197673514593.cmd"
    3⤵
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~7895713197673514593.cmd

Filesize
404B

MD5
dcaddc5185f725206b78a4f2fc2b5033

SHA1
067d07546ce7d4112e24cb846f6d32ccb0fb57fe

SHA256
5105d68d12ef56a7741457627fb9a14bda155413ef814a8525150b2a1015bdab

SHA512
45a0e279e9092d68ab54786508b9c61780d249e2dea013e40e8b38dcbef181cb45fd83dec611e4b88a2cffb453a73c058ff38193e12662163de524b1d96beb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~8387580194687823248.tmp.exe

Filesize
2.3MB

MD5
012d5128843481184c499833b4db5d3d

SHA1
97a680cc901e56eda288b425f331e1a03e50645a

SHA256
f3f6ae44a0adb797eb76d3346de180256b3eadf0876da0f627e4f632267f27eb

SHA512
2c1ccfdc4c3ee56971b11bfd5a1912874fb26ccfd295775cf28852d39f3c8907446baad05e67dec687b1ac0729c1849f50c63fa684ec496952f143e927c7a6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~8387580194687823248.tmp.exe

Filesize
1.3MB

MD5
307ec752c80596aa9ee9a6a50bba56ed

SHA1
ac1ea809e592b509d27aa7b8ccb22a2e2e1c941f

SHA256
a804988170213a389e807dedaf5387fb995ab3f4f467625a6deb01bda898cef1

SHA512
90dbf5befb771f65bd08d0be40cb9d7d13df4d78345ee24e74321d1b95ec07a394e5cf3f079a4cbc1137ef10015e1ca71e8ef59d396f3f47779c582384c19357

Download Submit
memory/796-3-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/796-4-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/796-5-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/796-6-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/796-8-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/796-10-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads