e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23

General

Target

e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Size

9KB
MD5

fd3c5257cea9840e7707d9fd75091d4d
SHA1

5dfb3cff55cefaf7a018992dec2d1ccc89079ab4
SHA256

e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23
SHA512

f81fca983751282bb07c92c7da71bdbed728cfd0abb7cf94d5ad7f83c6f8bc56bdea0f0a44ee6afd3cf6df7cadd53a99966bd641ceb0ca84ec71c83fbf235567
SSDEEP

192:76f0GW5P2Io4evFrDv2ZRJzCn7URRsjVJaZF:76fjWl24evFrT2ZR5Cn7UR0VJo

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 22 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Public\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fc99214a946584520000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fc99214a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fc99214a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fc99214a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fc99214a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4960	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Token: SeTakeOwnershipPrivilege	4960	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Token: SeTakeOwnershipPrivilege	4960	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Token: SeTakeOwnershipPrivilege	4960	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Token: SeTakeOwnershipPrivilege	4960	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Token: SeTakeOwnershipPrivilege	4960	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
Token: SeTakeOwnershipPrivilege	4960	e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe

C:\Users\Admin\AppData\Local\Temp\e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe
"C:\Users\Admin\AppData\Local\Temp\e5c03bee3168aaed6bda717e02db90a4258b70c0143812413e87e4093109ad23.exe"
1⤵
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\CopyGroup.dib

Filesize
445KB

MD5
d62941dcd10ce36d46c7e7e207c5bdb4

SHA1
3790c3794e13dea159c06eff45a34adb1d54c040

SHA256
bc741d66960a683fd2436bb9a841ac5ccc90feaa27ec94b6d84603875caa6254

SHA512
e9148ccb2e1ff83fd5f62db94757884caa9999d3b4848b5747a6fd43f490aa6f872b832aa1838535cfee1f19c297f6618ec7776c461b5cf5188f4adf41ed1f0c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads