54a50e0f177f7ac2753ee30ee39f5bab0146b556ec5593ef05c3a3f2371da3cf

General

Target

0ed77c64afc3414e94291a8c0f1a816f.exe
Size

827KB
MD5

0ed77c64afc3414e94291a8c0f1a816f
SHA1

2b359c72cb24b7daa28a1d30ff45d5f84ecfe53a
SHA256

54a50e0f177f7ac2753ee30ee39f5bab0146b556ec5593ef05c3a3f2371da3cf
SHA512

ca4384e3152ac4232baf4e4b7ce47d6efc90e34440e452643f411880dd7c3abfa2bc61f88ce79618e9859d509261d485baa885cb3abc1a20918eed95faeb1fbb
SSDEEP

12288:CPUB1kkNi3xVFB5stCEN+YtqGlJiGwHbqZZVPOJOy/hUHC7Fx1jbAtf0z75o9NWc:fEk0TFENbr22hC7/OHEx16k7cNW9sdP

Score

6^/10

bootkit persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\R:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\Z:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\M:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\Q:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\G:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\H:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\I:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\L:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\S:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\T:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\W:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\Y:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\E:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\K:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\N:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\O:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\P:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\U:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\V:	0ed77c64afc3414e94291a8c0f1a816f.exe
File opened (read-only)	\??\X:	0ed77c64afc3414e94291a8c0f1a816f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0ed77c64afc3414e94291a8c0f1a816f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4964	4332	WerFault.exe	17
4512	4332	WerFault.exe	17
3316	4332	WerFault.exe	17
2892	4332	WerFault.exe	17
4732	4332	WerFault.exe	17
3780	4332	WerFault.exe	17
4620	4332	WerFault.exe	17
2296	4332	WerFault.exe	17
3284	4332	WerFault.exe	17
1140	4332	WerFault.exe	17
2456	4332	WerFault.exe	17

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4332	0ed77c64afc3414e94291a8c0f1a816f.exe
4332	0ed77c64afc3414e94291a8c0f1a816f.exe
4332	0ed77c64afc3414e94291a8c0f1a816f.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4332	0ed77c64afc3414e94291a8c0f1a816f.exe
4332	0ed77c64afc3414e94291a8c0f1a816f.exe
4332	0ed77c64afc3414e94291a8c0f1a816f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4332	0ed77c64afc3414e94291a8c0f1a816f.exe
4332	0ed77c64afc3414e94291a8c0f1a816f.exe

C:\Users\Admin\AppData\Local\Temp\0ed77c64afc3414e94291a8c0f1a816f.exe
"C:\Users\Admin\AppData\Local\Temp\0ed77c64afc3414e94291a8c0f1a816f.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 804
  2⤵
  - Program crash
  PID:4964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 848
  2⤵
  - Program crash
  PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1264
  2⤵
  - Program crash
  PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1312
  2⤵
  - Program crash
  PID:2892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1304
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1316
  2⤵
  - Program crash
  PID:3780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1428
  2⤵
  - Program crash
  PID:4620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1428
  2⤵
  - Program crash
  PID:2296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1456
  2⤵
  - Program crash
  PID:3284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1920
  2⤵
  - Program crash
  PID:1140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1432
  2⤵
  - Program crash
  PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4332 -ip 4332
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4332 -ip 4332
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4332 -ip 4332
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4332 -ip 4332
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4332 -ip 4332
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4332 -ip 4332
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4332 -ip 4332
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4332 -ip 4332
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4332 -ip 4332
1⤵
PID:2592

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3384
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:2396

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4440

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1780

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3220
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:3088

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4268
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:2268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3796

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3908
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:1292

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3644
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:1376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1744
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:5096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4332 -ip 4332
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4332 -ip 4332
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
332ef598635cd207d6e98ba95f0a8c69

SHA1
249f117fb8dc3d4d5f223599f1ec7b5cefeb5c3c

SHA256
b32068974dd4617e93225ea65351650f936bb970dc3e4ce6a0d5e66329596065

SHA512
ab602279de96379d61800677eb12b6355730424d650565f2ef9c16366e4b0946d15c4a99118b1ca77d7587eb77fa692188d919d3c44f8a348abacf3aadf2e7a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
6c4335710f70a71e6ef01d1f469cf33b

SHA1
09dca52c57e42fd7a791dff97e51a708a14b6e72

SHA256
c524ac4023d88a8baa1cd2accf95eed3ee27b36eaa1b57e6a37f1e0408bd70f5

SHA512
a827dad2dc0b7373e481ae34bf3accb6fe85d7138cf3e906f6069af8d26e16963de49d5cd0c939d684f795374ea64131d64d1c48c7f7fbf776b59323bc51cb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1022B

MD5
7fc198d8f3aa7ce6447c690b39d0d9d8

SHA1
f6c3b595d2968ae775ceac43b4b35dc2a842c5ef

SHA256
c6e3e4e36a763316be72bc914218fa2c7fd7f5df0e317bfab8fed9fe7879e67e

SHA512
37aa583e19dc51ed21ca2137a2ce071783ccbcce55b2b95d813bf9b61b0c2b5fe179b1a95dd7b3a566d78f00bc7f8024e7ed2cd79a51160b166254d29bdce9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C29ECBA4-5E06-4D6B-BF66-8B45C7088D09}.png

Filesize
6KB

MD5
099ba37f81c044f6b2609537fdb7d872

SHA1
470ef859afbce52c017874d77c1695b7b0f9cb87

SHA256
8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

SHA512
837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

Download Submit
memory/2268-22-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/2352-37-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/2396-13-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4332-34-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-39-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-6-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4332-5-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-23-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-24-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-25-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-4-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-1-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4332-35-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4332-2-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-7-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-0-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-46-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-53-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-54-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-55-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-58-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-61-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-62-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-63-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-66-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-67-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/4332-68-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads