03b6c6768c646a743565f36ff617ed9a7aedabc418ba443d392261441f102746

General

Target

c30dd23bf4889ce2cd2f842373d31609.exe
Size

544KB
MD5

c30dd23bf4889ce2cd2f842373d31609
SHA1

2f896de2271259eef258ecf46addcbfe0b35ff45
SHA256

03b6c6768c646a743565f36ff617ed9a7aedabc418ba443d392261441f102746
SHA512

872e50fbfcbb6abe4cefa96074bb0d8dd8f5f88ae6ba03398192abf34223cb4ff0ecc629d77120dfa6addd24f836ad9f8b2fb6bda3c7d10b129224021a9fde06
SSDEEP

12288:HJUzLBeJqq8N1BB+pCqbX3xDUsVlUMMEcCoWz9:HG3BePm1BB+pZnKsVlUMMpv0

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c30dd23bf4889ce2cd2f842373d31609.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe Media Player\assets\iebbbce.jse	c30dd23bf4889ce2cd2f842373d31609.exe
File created	C:\Program Files (x86)\DriveTheLife\Drivers\mifffgi.jse	c30dd23bf4889ce2cd2f842373d31609.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\ = "????"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command\ = "WScript.exe /B \"C:\\Program Files (x86)Intel\\Logs\\gczzzac.jse\" \"%1\""	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll\ = "uqnnnoq"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\NeverShowExt	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\IsShortcut	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers\	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\ = "open"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll	wscript.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
468	c30dd23bf4889ce2cd2f842373d31609.exe
468	c30dd23bf4889ce2cd2f842373d31609.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 2364	468	c30dd23bf4889ce2cd2f842373d31609.exe	91
PID 468 wrote to memory of 2364	468	c30dd23bf4889ce2cd2f842373d31609.exe	91
PID 468 wrote to memory of 2364	468	c30dd23bf4889ce2cd2f842373d31609.exe	91
PID 468 wrote to memory of 1292	468	c30dd23bf4889ce2cd2f842373d31609.exe	92
PID 468 wrote to memory of 1292	468	c30dd23bf4889ce2cd2f842373d31609.exe	92
PID 468 wrote to memory of 1292	468	c30dd23bf4889ce2cd2f842373d31609.exe	92

C:\Users\Admin\AppData\Local\Temp\c30dd23bf4889ce2cd2f842373d31609.exe
"C:\Users\Admin\AppData\Local\Temp\c30dd23bf4889ce2cd2f842373d31609.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe /B "C:\Program Files (x86)\DriveTheLife\Drivers\mifffgi.jse"
  2⤵
  - Modifies registry class
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$dss.bat
  2⤵
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DriveTheLife\Drivers\mifffgi.jse

Filesize
1KB

MD5
1e4063e05d1eb1ecc08cf945df34d5ce

SHA1
6a78abb59b1b19d0493d8f2487b96688da78cdcf

SHA256
f9a887ddac026115c0dfe4fad564b7caac17c2c7d9237e3bb886cfebccdfd1c8

SHA512
b0f1bf871c692bc73985bf9c6d597b2eac2e7160252f7247b42d2f45544089db0d55df21d41d61eb10f14517a88c6dc59cd9a5fa51d13cc2b01de4da06485e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dss.bat

Filesize
246B

MD5
b211c858d10413d5a58614b36a4c2c86

SHA1
5c374bd632cc5199c6e73bee53567a6e4f0787e1

SHA256
1ffc57fda104ab8bd80a025624bd558d1b69332f55cb20844c5122c7af0e3654

SHA512
a65ff4d4658fb409f2470cbeef5e128bf6ef439bef9c6dc3046afa19ff731ae349571f0dcf50dc20932f3508e43049a3a9455a9a4d6861b3a7fb1f312a5d3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaoBao.tmp

Filesize
143B

MD5
fdbe75eee63e579fc4d54d5e96ffdc05

SHA1
6e4e0665f4ef8f058f815d9457f55d1fd1b1681e

SHA256
4434bbb1a63da852a06a95cae272a9387e045f2327f1aa71b10e8e524761ff44

SHA512
2a478daeded3250d3dfa1ac0d8d3f6fe763bccd29d8b116e4b7db5e28f6c2ba6cf5d19e44db1e1c4a4f10df5aab87c1196c8140b5bcc34a997853f6b971a2f8b

Download Submit
memory/468-0-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/468-1-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/468-23-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/468-24-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads