a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90

General

Target

a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe
Size

1.0MB
MD5

96769de10b692d3d67b1505b57f3fbf7
SHA1

d158cfa191c15745cd5e93debee3d46a019d88d7
SHA256

a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90
SHA512

9e0530aaf97307fbe1d9f7fb28b534ae1225fb1f9b6dfa8226dfd1ae3e48edb03ab663445304a8767235b5748c052101b9b8e7da4274c7dd43af9d51433612e2
SSDEEP

24576:vU9BO4+sT99C+cU0mhWDmKYwaUFvv+4DTo4:vU9Br+sT99CvU0XtYvUNmyTF

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe

Executes dropped EXE 1 IoCs

pid	Process
2628	NFWCHK.exe

Loads dropped DLL 1 IoCs

pid	Process
1372	a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1372	a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe
1372	a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2628	1372	a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe	28
PID 1372 wrote to memory of 2628	1372	a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe	28
PID 1372 wrote to memory of 2628	1372	a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe	28
PID 1372 wrote to memory of 2628	1372	a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe	28

C:\Users\Admin\AppData\Local\Temp\a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe
"C:\Users\Admin\AppData\Local\Temp\a87b7213d0205f2c9502cdf218378dde2474c74f71757ae18dfe23e14e61ed90.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
1KB

MD5
974026f4a5ae762d61bd51198e3befb1

SHA1
6a3d420aa2dc17f0f33bb2f728b34932076d40ea

SHA256
6a1318bc804d1e2cfd8ee97b70f727909775932602941f96afc5d40d0dda71e3

SHA512
35f35db5c88bdd2439e3d1f9a8ea20a32eb085eca9c784912294fc7efc5810e363669cf9e94eecc9cb9d6c12a621f1849ac208ff38812d04cf8aaeb8543e920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
2KB

MD5
45a4bb8bc620e7c86f0931ca7ff370bb

SHA1
6e68142426542cf680cba934190f0aee544927ee

SHA256
506cedb8df31671cc67f6d79eb08753f8c4a73ebbc8361848020b0ff9497721d

SHA512
3c9fd7975827e31c0bf5aa6b25a154de78fdd7966a77b54c9bae4868ac913cafdf7006746f8d2069d5eebec9cf77f09386e3c787f40502f4dc0670cfce83dfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
548B

MD5
1353095bff8500d2aed17211717da86b

SHA1
e52723603a97d34ddd297669ca8d9322dec0c9e2

SHA256
94e92b22105af7f97dec08d1972438f3d4c8fadd29bfb6fa186e99a685597cec

SHA512
04149fdd56f4714f44943a2d9c630d99c24e26e59e34c9059663ed51e74b459dc6f246dc762cdb024c3514802191de38a311088f205953d1b5b770121d2eb0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
4KB

MD5
477f7f720dfe3e463b5843dc3c3bf1a5

SHA1
06cdb41303667989e966761e2048c21c59465403

SHA256
2906e2048cc97c1e276965d0cbf9535f985d05e5a44683aea3b52a8cb20e4393

SHA512
b34f479d6c01b27138f4d026db93a6b19d0269e911f394e3fc6dba9446cc8ec262cbcfbfddb6b499c1bfc2ad111f54de91142b21b114c4964823835a07532692

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
229B

MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
memory/2628-76-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-77-0x0000000002010000-0x0000000002090000-memory.dmp

Filesize
512KB

Download
memory/2628-78-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-79-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads