7a75e1ccffbb48b833a6c0568d312282857e397024fcf134870914831e11b21f

General

Target

beb4479c7ca079bcfd383c866dabcd97.exe
Size

136KB
MD5

beb4479c7ca079bcfd383c866dabcd97
SHA1

3f936a598933295519e5cca4a1c6f270ea61ec79
SHA256

7a75e1ccffbb48b833a6c0568d312282857e397024fcf134870914831e11b21f
SHA512

6ee3b17c0321e90b48e1ab935c77f419d7646a47394ecb74d18cb94a45230629e0ea0cb413b97aa52c579c8a70697f514af6662b10df140eeeef2c6ed892505a
SSDEEP

3072:Lj51Phc8CVrFRsEOIVC1bPw3l4/VVlW0iqf2Tf4SHSle:Lj5M8CVpRs6C1Dw3WNVlW0iqwf4SHSl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1500	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	avp.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	beb4479c7ca079bcfd383c866dabcd97.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	beb4479c7ca079bcfd383c866dabcd97.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\od3mdi.dll	beb4479c7ca079bcfd383c866dabcd97.exe
File created	C:\Windows\SysWOW64\delplme.bat	beb4479c7ca079bcfd383c866dabcd97.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\avp.exe	beb4479c7ca079bcfd383c866dabcd97.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2328	beb4479c7ca079bcfd383c866dabcd97.exe
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2328	beb4479c7ca079bcfd383c866dabcd97.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1500	2328	beb4479c7ca079bcfd383c866dabcd97.exe	29
PID 2328 wrote to memory of 1500	2328	beb4479c7ca079bcfd383c866dabcd97.exe	29
PID 2328 wrote to memory of 1500	2328	beb4479c7ca079bcfd383c866dabcd97.exe	29
PID 2328 wrote to memory of 1500	2328	beb4479c7ca079bcfd383c866dabcd97.exe	29

C:\Users\Admin\AppData\Local\Temp\beb4479c7ca079bcfd383c866dabcd97.exe
"C:\Users\Admin\AppData\Local\Temp\beb4479c7ca079bcfd383c866dabcd97.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c delplme.bat
  2⤵
  - Deletes itself
  PID:1500

C:\Windows\avp.exe
C:\Windows\avp.exe
1⤵
- Executes dropped EXE
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\delplme.bat

Filesize
264B

MD5
ff0cfc884b10bd269cad65416147445f

SHA1
c25074b014db786161c8502a333b1ab1088db6c8

SHA256
adf0cda2997ba8739eb5b5205fc56f0072006634a9096f6942e8df22f27f4dd0

SHA512
221f90e31cbc739c1c9858cf95346c76d25bbc5dd7cad29dd2146ddc30f72fa6696c3bd5d6e4d872ee21183f1e14317ce07b3e02835e920e36adec181a99e458

Download Submit
C:\Windows\avp.exe

Filesize
18KB

MD5
b1772ac0ea52843391e6242b403e4979

SHA1
50673dfe4a0a7847f3fb37681cf94670b3d2b72f

SHA256
02ee17746e5aa2813bc50b3e59f3a86798015d023d0397d4cfe974b317445e8a

SHA512
17a3e9ce45b8d2af30e0af28747ea9fd9b72b594bf7c9fb4e09398beeae2eb9e6cd7ecf39f9230aa5e813c1a677783d0f9f88f9235ac7039db66538c2e1d10fb

Download Submit
\Windows\SysWOW64\od3mdi.dll

Filesize
103KB

MD5
aadb4ba1cbf92d6f8f232b19d66359ba

SHA1
be7c64a9395e8f26b35b3d2061e4a1cfa126f1e2

SHA256
bbf8f4242396712cfe980755c7e1640e5a572356ad8e4ce94f22c72504aa3ea1

SHA512
4a2e8080e60b27569cc97023617af5b75b2d46a940bd1e4462c3532aa3dfae630c56570faea83da2a7456388b3d75c37bec869f6013e0cfefc840747da43eb83

Download Submit
memory/2328-0-0x0000000000400000-0x0000000000454200-memory.dmp

Filesize
336KB

Download
memory/2328-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2328-2-0x0000000000400000-0x0000000000454200-memory.dmp

Filesize
336KB

Download
memory/2328-15-0x0000000000400000-0x0000000000454200-memory.dmp

Filesize
336KB

Download
memory/2980-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads