5372131530fc7607c1dd10f5766079c3dbbffcb6af3004eb7d36f52b83ed702f

General

Target

1025fd66fc2cd4c56ebafd7041a2ebb1.exe
Size

809KB
MD5

1025fd66fc2cd4c56ebafd7041a2ebb1
SHA1

15219c3b0ec9d3ed42fdaef6b8ae524d2f221a0d
SHA256

5372131530fc7607c1dd10f5766079c3dbbffcb6af3004eb7d36f52b83ed702f
SHA512

963305db1beccfc87469109f51ac0d47ef0e4b7208ce3a4971310311c3991d394264f550418ed0966c44b9acdc9c6d27bc92c78831cfacdca494677f444adda3
SSDEEP

24576:1iqn+m+UEB2KbyxQf3vFdIMDyX/Ac2qFg7:ATIE8KbyxQf39dIgQ/AZq2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2652	privacy.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	privacy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2980	1025fd66fc2cd4c56ebafd7041a2ebb1.exe
2980	1025fd66fc2cd4c56ebafd7041a2ebb1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2652	2980	1025fd66fc2cd4c56ebafd7041a2ebb1.exe	24
PID 2980 wrote to memory of 2652	2980	1025fd66fc2cd4c56ebafd7041a2ebb1.exe	24
PID 2980 wrote to memory of 2652	2980	1025fd66fc2cd4c56ebafd7041a2ebb1.exe	24

C:\Users\Admin\AppData\Local\Temp\1025fd66fc2cd4c56ebafd7041a2ebb1.exe
"C:\Users\Admin\AppData\Local\Temp\1025fd66fc2cd4c56ebafd7041a2ebb1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980
- C:\ProgramData\privacy.exe
  C:\ProgramData\privacy.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:2652

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4440

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1496

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4476
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:2352

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3588

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4664
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:4364

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3092
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:464

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4212
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:4840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3864

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:708
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\privacy.exe

Filesize
142KB

MD5
a4d18e583bca27637bd846432c0e1003

SHA1
4d51d70c57417b6092a601b8a16c8806dfd4c3f6

SHA256
7f1932518dc241fe13348ecbad285cb1d42701242cec9da4a5a0a3ca44ce28f7

SHA512
7d0e5fb90fce40209cdfcf88be24935e0106740ba4653fd572a342a40bfd468d9eb52ad57f20fae896e22e20694aa3bc96f9b04c09cbed6f8a58bdbc7da185eb

Download Submit
C:\ProgramData\privacy.exe

Filesize
120KB

MD5
bdb25c41dfe79ab790cda98c7dc616db

SHA1
929518963a1af13fea4c9e713be9525a5f43cd11

SHA256
29c3113e6328d97444ef07a69d4c85fb97c3ba99d7416ad7ca600717118608c4

SHA512
dd991ccfc042c9c571a8989d2ab48c69a9bc0eb4bceb3035f88ab90c5fa2e3e33b5ab10231024cc424164a5027b340045344f528fd383d3af36c156c8dda5dda

Download Submit
C:\ProgramData\privacy.exe

Filesize
92KB

MD5
99fec3254ffa135b8c05873700b3114c

SHA1
8349c77d9184400ff3c3555f9ecc5ece4f66f760

SHA256
147cd560ead852540e52bf6bd01f4cf5d3e250d1352650ce443068de8717e005

SHA512
03a6ed199360635cf4823b84f9e3fdc29a494b28de336132898233ad1bf2bd34997551f9b370bbb3b592b235466dc703652919ccbeaa9e23981e656957c28311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
a760fb773b23d783f07e77de846bde96

SHA1
35f4a0c1ba33dee757f2b028fb313c3019b699fd

SHA256
e07532c862bf12834627535fe4304cbf9d977e22968dea7b99fa5bd9a733c290

SHA512
d8bf7846b453924fcaec8e153a7a3ea633e64c3aa695169ebfa944e48f4a8e0ddd8703d48ce988ba360d826e72006576cd822bc0b3ecf496d47649532ccc501e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
4dda232d3624c16735717082c79b2507

SHA1
4d75ce236a93045d2148cca713b25fc79b72a1f2

SHA256
10c94885e6568f3018c39cd82f85f1ffe50d8546f573881cb9c6fd455c328131

SHA512
77463d82c2627249151f6fa4174b5c04ff5e81b37b7ba8d322f101d095f2979ff8262ba4908cc61387e2ee54e3528580960122aacb3ce8622b41c6597c0d7fa8

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db

Filesize
15KB

MD5
72f4e7f042f63f473ea20a83011f1704

SHA1
04efd9f83719c491d449e36344cbdd5e94412501

SHA256
14479a0110e2f20325127f689e5813d1f60bb914f294b0f58d65d7e4de18a46c

SHA512
3881dcabda6b565786ad20a9eee93625c83163b57725194f9f39cae3012addc4e1217eab3da7e7b8a75562e17f4d9a787cac8502e1fc97004bc55775d27330fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
1022B

MD5
ce6c73e90308666da791421811ed5dc2

SHA1
1983aef384427a03b47f2a0cdbff9f733a0be2ca

SHA256
00239d0e245750bd78a5300a157af7859ce98554cfc1fdc565b93291dc04d234

SHA512
3bde72f8b50fb433a026bfc1abdd9d096b86fcb63685bc5ff9e62840badeaa0d1f582536df28300d2e4939f95b106f3c0721aa173b2e11b5ee88f3619a579bb6

Download Submit
C:\Users\Public\Desktop\Privacy Protection.lnk

Filesize
672B

MD5
3e5d90a30d286bb2e01604d946096284

SHA1
2ca1a58aff583b210f35b554e127a35fc967750e

SHA256
ab51d89c55d65132c08330a90717b88f46ea925b0803cc2cfa2a17847edcd45d

SHA512
154585c3d3cd84c00dc41e15ff005e208cdc2695029cedd3cb45452b4165150dfa7b5113fce7f6a01e5662321a2dab6cc066ea227ce95f7b860966bfbb48486e

Download Submit
memory/2352-27-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2652-45-0x0000000000D50000-0x0000000000D59000-memory.dmp

Filesize
36KB

Download
memory/2652-71-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-25-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-18-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2652-16-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-13-0x0000000000D50000-0x0000000000D59000-memory.dmp

Filesize
36KB

Download
memory/2652-14-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-84-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-83-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-82-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-81-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-78-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-53-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-52-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-60-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2652-61-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-68-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-69-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-70-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-17-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-76-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2652-77-0x0000000000400000-0x0000000000B11000-memory.dmp

Filesize
7.1MB

Download
memory/2980-1-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2980-6-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2980-0-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/3652-50-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/4840-40-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads