d9b20243128608b90703af34197b18c37aa64401cae65d5f76442d0b3ea38283

General

Target

abb46444054b7fa13ad3b1279b328969.exe
Size

22KB
MD5

abb46444054b7fa13ad3b1279b328969
SHA1

22fc3cb36605a8a08563c4ff217a9e7288474194
SHA256

d9b20243128608b90703af34197b18c37aa64401cae65d5f76442d0b3ea38283
SHA512

6aa69ae25f06cff4ba628b28db506a26f0ce78ebde42ed9c399af916b8398359c39797080a3bd78e5dba5c74613dbd03710442745dc421332196afaade16c1bb
SSDEEP

384:nRI5PCiTQBjY2sWTXDMozA7cPeEEw7sGzyjMsuYlkIJwPjVJ3hxinzJwAkJ9:WClK21Uoz6C/qjTuYGIJgjVJXZAkf

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\beep.sys	abb46444054b7fa13ad3b1279b328969.exe
File opened for modification	C:\Windows\SysWOW64\drivers\beep.sys	abb46444054b7fa13ad3b1279b328969.exe

Loads dropped DLL 1 IoCs

pid	Process
3144	abb46444054b7fa13ad3b1279b328969.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3144-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3144-12-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3144-13-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	abb46444054b7fa13ad3b1279b328969.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4448	3144	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe
3144	abb46444054b7fa13ad3b1279b328969.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe
Token: SeDebugPrivilege	3144	abb46444054b7fa13ad3b1279b328969.exe

C:\Users\Admin\AppData\Local\Temp\abb46444054b7fa13ad3b1279b328969.exe
"C:\Users\Admin\AppData\Local\Temp\abb46444054b7fa13ad3b1279b328969.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 548
  2⤵
  - Program crash
  PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3144 -ip 3144
1⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dat11FC.tmp

Filesize
14KB

MD5
de66c830cd1b082e6551022bebcf1c9b

SHA1
6470a3e71ae4e9f31862e88b66a96496cf87b93d

SHA256
17b627d224870c7616fef96f509862c9aad45912dec2c875616e3b52f16e52a2

SHA512
a7b669457b177b5675260e06a4a48f2d81bc84973c4eb4d13056587e70d8cdef86cedb9179be2cf02b20e91207a0bda9c989055d29905da9237d29c3ccc18584

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat122C.tmp

Filesize
10KB

MD5
47719e94a415c8df20535cf0c6f3f196

SHA1
9ded7777ecbe47419a4fbc2f8a0e8f6078451c63

SHA256
f33be11cf95312f161bc63bbc675897f04f0a43807e9f82ef1c9c05d55b2a4f7

SHA512
35c59d5276118073738fb5ea53f3325d4c00cce0e9296ec74ce25417486a7ac43f19acc30fd8cb0ffc9b1e7269091f370f6949d68563de18b1c05928b06a8670

Download Submit
memory/3144-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3144-5-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/3144-12-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3144-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3144-14-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads