271b349d9ccfe80938f4ff595b5473359bfc99554bb82dd7af420aa20d9313e9

General

Target

967e1f338651fe271adc5d8dabf8f16d.exe
Size

21KB
MD5

967e1f338651fe271adc5d8dabf8f16d
SHA1

2d3d7efe5080ebd420c0db098d5b6cdb5a59fcf7
SHA256

271b349d9ccfe80938f4ff595b5473359bfc99554bb82dd7af420aa20d9313e9
SHA512

1506221e9c2d1ec91012569b0c96cdfc7987d6b39fb07afe4ac860e5641312cb28bae129ce82f25829021d0ccafab963d96569699c3166c078477d79a24620e6
SSDEEP

192:GKBTq2BtD+RFlm8QRsJ6cAuEzpCmMAM9fsJ5sP1oyJsxCp9Xz5uaoHQ7ZHt:1xq2S7JKjMT9kG14+9tuDQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3208	weilai.mp3

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	967e1f338651fe271adc5d8dabf8f16d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\weilai.mp3	967e1f338651fe271adc5d8dabf8f16d.exe
File opened for modification	C:\Windows\weilai.mp3	967e1f338651fe271adc5d8dabf8f16d.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 4516	1248	967e1f338651fe271adc5d8dabf8f16d.exe	84
PID 1248 wrote to memory of 4516	1248	967e1f338651fe271adc5d8dabf8f16d.exe	84
PID 1248 wrote to memory of 4516	1248	967e1f338651fe271adc5d8dabf8f16d.exe	84
PID 4516 wrote to memory of 2880	4516	cmd.exe	86
PID 4516 wrote to memory of 2880	4516	cmd.exe	86
PID 4516 wrote to memory of 2880	4516	cmd.exe	86
PID 4516 wrote to memory of 1392	4516	cmd.exe	87
PID 4516 wrote to memory of 1392	4516	cmd.exe	87
PID 4516 wrote to memory of 1392	4516	cmd.exe	87
PID 1248 wrote to memory of 560	1248	967e1f338651fe271adc5d8dabf8f16d.exe	88
PID 1248 wrote to memory of 560	1248	967e1f338651fe271adc5d8dabf8f16d.exe	88
PID 1248 wrote to memory of 560	1248	967e1f338651fe271adc5d8dabf8f16d.exe	88
PID 560 wrote to memory of 2020	560	cmd.exe	90
PID 560 wrote to memory of 2020	560	cmd.exe	90
PID 560 wrote to memory of 2020	560	cmd.exe	90
PID 1248 wrote to memory of 2876	1248	967e1f338651fe271adc5d8dabf8f16d.exe	91
PID 1248 wrote to memory of 2876	1248	967e1f338651fe271adc5d8dabf8f16d.exe	91
PID 1248 wrote to memory of 2876	1248	967e1f338651fe271adc5d8dabf8f16d.exe	91
PID 2876 wrote to memory of 336	2876	cmd.exe	93
PID 2876 wrote to memory of 336	2876	cmd.exe	93
PID 2876 wrote to memory of 336	2876	cmd.exe	93
PID 1248 wrote to memory of 3208	1248	967e1f338651fe271adc5d8dabf8f16d.exe	94
PID 1248 wrote to memory of 3208	1248	967e1f338651fe271adc5d8dabf8f16d.exe	94
PID 1248 wrote to memory of 3208	1248	967e1f338651fe271adc5d8dabf8f16d.exe	94

C:\Users\Admin\AppData\Local\Temp\967e1f338651fe271adc5d8dabf8f16d.exe
"C:\Users\Admin\AppData\Local\Temp\967e1f338651fe271adc5d8dabf8f16d.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c temp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\explorer.exe /g Admin:f
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c temp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\compact.exe
    compact /u c:\data_temp
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c temp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\compact.exe
    compact /c c:\data_temp
    3⤵
    PID:336
- C:\Windows\weilai.mp3
  C:\Windows\weilai.mp3
  2⤵
  - Executes dropped EXE
  PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
47B

MD5
64e413ce7565102f845f1e4bb358b02b

SHA1
b45dd4bf7271d715629a588440b4f978dbe7c405

SHA256
156c76475b9d988255348fa3ac969efdaa563c343b6ccfea971061133b47ef2d

SHA512
14e4a26c90a11966e76ba15a2a70bd3021e62868ddf5f754284b1f591224d19f12283aea90c8e46103a0b69cca8f6c2c9fe0f42db1982c83591d3dc5e7138b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
23B

MD5
ab62849c6b9bbcf65f5d4d81db96733d

SHA1
baa6cb91da43fec7ec6cbc5ec9815410109f60ab

SHA256
3ff54a123797952500879a237f0fd1f96aa54a40a75fd80f567683ba183d824b

SHA512
bc140821bafb20bb234821b17ebc24d7d111c5826af2609b4d8c0bba7978376a647d6925dd6613e2dfe2d399d1c3f100bc1bcd0bb0ab4726e9bbff8e6d6c94e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
23B

MD5
7ff1ce104201b27cec1f0ace49336a1b

SHA1
55bc4768c27ab2fc60a68ec0386f460660fd91ed

SHA256
e5a3a793fd04364eddbb5ba4fa3dc5721143e4e938a97ecd466e775b78dd4caf

SHA512
45962603a75004dad77c78907f2d35622da5e554ceaac6656b52b94375f165aef5e40f3f0cf778971b7ebc7d7024713f4f1a54b23b9d3b06836bfe5fd2a2b0e4

Download Submit
C:\Windows\weilai.mp3

Filesize
4KB

MD5
3d55128b36a73a7ac7a561bf5ec98734

SHA1
bf4561450b5601ca5037f1f59142a75d8011c143

SHA256
4251ab4d973dcfc6d0390c4f1fd79981c3d61145b710fc0f535b6608475b4857

SHA512
2deeb0243e8301aa477625852fa8cd871adb2b9ad15361777641ab3a0326ca13b11cae27e9e179b7ede6159930b2efc7539f71ba8a8c93bc64f6a59ff9ca5f93

Download Submit
\??\c:\data_temp

Filesize
896KB

MD5
aef8ccbcadd78367f5654c5fbc325748

SHA1
3b5f318604ae5c661a981365c58063c088f17fe6

SHA256
2be21a5ab6814941509abc8587c1b81affd8e828c6afcb530fab5ff325411c73

SHA512
0f0327ca97b1df0463dba391d97d24b6b094dbbf46dfb2e3f2f0ddae374302b025b4645defdb77e5d7671c7c4d69aadf5cfee53dbbcdf8cdd3fd0746ea5fbecf

Download Submit
\??\c:\data_temp

Filesize
4.3MB

MD5
444cfc776eaa6c405471bee3c083c674

SHA1
d183b5293354f8f5b58a89160bc40ad713a70017

SHA256
6ea06b12c2425918d02a4398ec248f31c154cf9d3794059c047ca85ddf2b8ab8

SHA512
f8f6a0695553241c4922af7e20cc0996d9955618048d2b09cfe882ef5b20540fc15108536442d42072eb3bcea93aa1a8ab2a4492044f287caf5313e82e34b945

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads