e97ba85e7bda7094f1aae1ed53981845c1ea52ff36c2eda083ee2198ae9cb2f6

General

Target

406047df1cabc0dbe2932fb228c51798.exe
Size

110KB
MD5

406047df1cabc0dbe2932fb228c51798
SHA1

4d35b17986d26ca7e66b9b4bcef0f22c1fd65115
SHA256

e97ba85e7bda7094f1aae1ed53981845c1ea52ff36c2eda083ee2198ae9cb2f6
SHA512

c0e6ad0d18ef8d452fa500a581174a4d973d813aae21bc09ea56b34ff674764cf7308ca215860d2bcf780ec71bc3fa2f8636e7867b850c801f6f32f60016d0b7
SSDEEP

3072:x9amc9x9gsoZPT4qpsX61m6EODkJa7b+uj:xk8soZPsqiQm6Eob

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
848	avp.exe

Loads dropped DLL 1 IoCs

pid	Process
1744	406047df1cabc0dbe2932fb228c51798.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	406047df1cabc0dbe2932fb228c51798.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oD3mdi.dll	406047df1cabc0dbe2932fb228c51798.exe
File created	C:\Windows\SysWOW64\delplme.Bat	406047df1cabc0dbe2932fb228c51798.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avp.exe	406047df1cabc0dbe2932fb228c51798.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1744	406047df1cabc0dbe2932fb228c51798.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1744	406047df1cabc0dbe2932fb228c51798.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2800	1744	406047df1cabc0dbe2932fb228c51798.exe	29
PID 1744 wrote to memory of 2800	1744	406047df1cabc0dbe2932fb228c51798.exe	29
PID 1744 wrote to memory of 2800	1744	406047df1cabc0dbe2932fb228c51798.exe	29
PID 1744 wrote to memory of 2800	1744	406047df1cabc0dbe2932fb228c51798.exe	29

C:\Users\Admin\AppData\Local\Temp\406047df1cabc0dbe2932fb228c51798.exe
"C:\Users\Admin\AppData\Local\Temp\406047df1cabc0dbe2932fb228c51798.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c delplme.bat
  2⤵
  - Deletes itself
  PID:2800

C:\Windows\avp.exe
C:\Windows\avp.exe
1⤵
- Executes dropped EXE
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delplme.Bat

Filesize
264B

MD5
40420a7831e3905bbe45c667c6869c12

SHA1
6772f8eed3d4c65709433ce54ce740dd56be086c

SHA256
b27bf86f9d16eedaee8d3ac87adfe039eb9bf70df88815554c4840ecd7910f55

SHA512
a0c1cccdc450099182f39636f10f69225f6a59be6cc1be820b179f00e816c835cdbc48712d3f70a4f3730cc00336fa79e9a45386a1a7726e277dacf83e13e84e

Download Submit
C:\Windows\avp.exe

Filesize
18KB

MD5
e27eec71d4edd47773b987ee59f6d9fe

SHA1
62789e1cf0efe3fca93e1d375b9127fbb857f8e1

SHA256
bf75ad1bbdfcad2e2f843781ef10d980fa853bd7370707b0c4871495666fef4b

SHA512
fd170f13ed7268bebe1bbc0ab045e7fc4b9acb942044c82a160422efe5ad9c5eeb0427fdd20f4cb2ae792c0ed447674cb65bfb25bb9dd5334c25affe8d0ea5b0

Download Submit
\Windows\SysWOW64\oD3mdi.dll

Filesize
238KB

MD5
8423ec6e2ed7219fc87a60f8e7f90c1b

SHA1
46a9204ddba715f06d3e52f26282d29521d2ef38

SHA256
75e425f310d0dd597e7510dcf37f6e0cd8ab71e52d2deeaa330f05af66fb9937

SHA512
bb931745d9b663e84729913642d7a48dffc6dd98bc592a0eec92077a9279a9ebf3fba26339621859ce3b76bd962cec833e3fe9f58ea98830fa635e4f9ddbb4fb

Download Submit
memory/848-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/848-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1744-3-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1744-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1744-15-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads