dbda020b6931b2c8c20407702c9257097cdf215c55cef624dac7ec820ddd949d

General

Target

35176fbdc2256a61bf2c3d37c4e568d5.exe
Size

1.5MB
MD5

35176fbdc2256a61bf2c3d37c4e568d5
SHA1

d808ddfdf9e361fab35c77c1c2f65f6e8a0463f7
SHA256

dbda020b6931b2c8c20407702c9257097cdf215c55cef624dac7ec820ddd949d
SHA512

9ffb01c19f1c633ac572e546e0ac352af62b7ba3826c8d2b00f98f83105a86cf8b36ae972241da38a87a49bcca38795c57ad52e008f660db48d1e1f706083859
SSDEEP

49152:IcSHKKhDGqNiD95JLZhFs7QUamXB4f5O7v:IPKKtG04LZhmfa0qY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2820	demo.com

Loads dropped DLL 3 IoCs

pid	Process
2880	35176fbdc2256a61bf2c3d37c4e568d5.exe
2880	35176fbdc2256a61bf2c3d37c4e568d5.exe
2820	demo.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	demo.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	35176fbdc2256a61bf2c3d37c4e568d5.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2880	35176fbdc2256a61bf2c3d37c4e568d5.exe
2880	35176fbdc2256a61bf2c3d37c4e568d5.exe
2880	35176fbdc2256a61bf2c3d37c4e568d5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2820	2880	35176fbdc2256a61bf2c3d37c4e568d5.exe	28
PID 2880 wrote to memory of 2820	2880	35176fbdc2256a61bf2c3d37c4e568d5.exe	28
PID 2880 wrote to memory of 2820	2880	35176fbdc2256a61bf2c3d37c4e568d5.exe	28
PID 2880 wrote to memory of 2820	2880	35176fbdc2256a61bf2c3d37c4e568d5.exe	28
PID 2820 wrote to memory of 2696	2820	demo.com	30
PID 2820 wrote to memory of 2696	2820	demo.com	30
PID 2820 wrote to memory of 2696	2820	demo.com	30
PID 2820 wrote to memory of 2696	2820	demo.com	30

C:\Users\Admin\AppData\Local\Temp\35176fbdc2256a61bf2c3d37c4e568d5.exe
"C:\Users\Admin\AppData\Local\Temp\35176fbdc2256a61bf2c3d37c4e568d5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\demo.com
  C:\Users\Admin\AppData\Local\Temp\demo.com
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\demo.bat
    3⤵
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\demo.bat

Filesize
170B

MD5
f283d0ec5d947ec31fe5bbe78b07c6f8

SHA1
b243495f70100bd3c1641af2b09490d28d3c4c74

SHA256
878c53b547d0e0d54b61549654f6be437e368b3d2313fefa8e9368f92e6c1b6b

SHA512
7c3a967b2ecf6da8be37965b67eecbf7c21dec1dbb54c5f892ce9348c49b28f276e207dd2905fa9dfaa62d04fb6013d7c1c2007efe83b718e94c98c793a0a31e

Download Submit
\Users\Admin\AppData\Local\Temp\HDDPhysic.dll

Filesize
58KB

MD5
60ead979318a5effb7774fbcc2f23b50

SHA1
2d6df81c79aa75d771bffea6c9318848cfbe186b

SHA256
b2e5f4756d96c0060364ae70e8d0e52605b6aaeacb8c4b9894ad279e24c3a346

SHA512
4fa9ad0692b6553bf956ee6fff8d6948bef0a2fb1cfc97920f6cdbab6febb1f9070c6d8b03c387d09bdc6868278626f40ca35cd0685decf8a510c071d1582650

Download Submit
\Users\Admin\AppData\Local\Temp\demo.com

Filesize
162KB

MD5
bc9ae1258b839cb8924e005cc1ee02d1

SHA1
db74d2958f56fd9257462f3c3a887da018d72c0c

SHA256
0a3f9a12400c6854f651a36005b220bbf3584f4217d4374ab58591ae6eaa3d4c

SHA512
c42b5faa9943df8430489ade63307ba1e4a8a04a31c27155e44eafec01109ee8ff101670d3d3fc59fc47f67a250e8cdce3d4d17d25adb585c13e5ea163644a2f

Download Submit
\Users\Admin\AppData\Local\Temp\demo.com

Filesize
149KB

MD5
139d1e74288a5a2c0ae5a223d2c9b6e0

SHA1
be08f42953f3b79382e768d742ffdfd2e2d7f0a2

SHA256
94b2bb0db253f145f4bf59af6fc5beecd8b95faba769fcb0c245880192627475

SHA512
483722ddf67966030bcc8551961d376286ab3f474e4756139f6da45e855e806d15e95487d9a6a9c0af368ca91fadc65e9ab9e6764e1e7599dfae127ebb615348

Download Submit
memory/2820-39-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/2820-30-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2820-27-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2820-25-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2820-38-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2820-37-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2820-26-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/2880-5-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2880-1-0x0000000000400000-0x000000000121016A-memory.dmp

Filesize
14.1MB

Download
memory/2880-24-0x00000000049D0000-0x0000000004A45000-memory.dmp

Filesize
468KB

Download
memory/2880-20-0x00000000049D0000-0x0000000004A45000-memory.dmp

Filesize
468KB

Download
memory/2880-0-0x0000000000400000-0x000000000121016A-memory.dmp

Filesize
14.1MB

Download
memory/2880-43-0x0000000000400000-0x000000000121016A-memory.dmp

Filesize
14.1MB

Download
memory/2880-44-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads