4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350

General

Target

4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
Size

1.5MB
MD5

ac2a422cc3bad3118bea0266a8fa0129
SHA1

28ad50792975fecbb77202cfb3636e766c811a9f
SHA256

4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350
SHA512

67439e008733048f71f6b1bf6eac5469272a0377f8c6ec7349720114917a54136d47b9988e6d4e04e5c4cda5251ebd2aabeda1ae135991e705e438641beb3fa1
SSDEEP

24576:Ioh3aS/tIUh102NhHF5Qk7t1T+5kKUY9lgtfifmyWTTnLNvvNAYWL6WTHUXLL9nH:IIX02NJFX7tR+Okl6fiFOLrAfFDQ9ns6

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2820-0-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-44-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-45-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-46-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-47-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-48-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-49-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-50-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-51-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-52-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-53-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-54-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-55-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-56-0x0000000000400000-0x000000000083A000-memory.dmp	upx
behavioral1/memory/2820-57-0x0000000000400000-0x000000000083A000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2608	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
Token: SeLoadDriverPrivilege	2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2608	2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe	29
PID 2820 wrote to memory of 2608	2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe	29
PID 2820 wrote to memory of 2608	2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe	29
PID 2820 wrote to memory of 2608	2820	4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe	29

C:\Users\Admin\AppData\Local\Temp\4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe
"C:\Users\Admin\AppData\Local\Temp\4cb96aaf3aacba27e2bac5273270d3df5e651232891f424eafc03ffbfda1d350.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_2820.log
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\cpuz_driver_2820.log

Filesize
1KB

MD5
df12eddd638a59e7537db0f92b39ac4c

SHA1
60c4cca9183154f5aab03a06dc10183b36112736

SHA256
7b21f78e1bf80d6ace8dd96ba51a28da1cd5417303139e5d35a7b8164ae91fd1

SHA512
9a29712b4841ef5b126fb08ac5281f16428a5e73465c1cb55bff4ac0c5c07f875718acbee8c22fb02e9ec23dfa8318ab275d36f7ec65f210452c15c6452dc341

Download Submit
C:\Windows\Temp\cpuz_driver_2820.log

Filesize
987B

MD5
3fbf223bee08301dbe71bf1385f90c39

SHA1
684066715121fd85c77aa3e8e1cd4ce0cdd78777

SHA256
a55db73dc03aa9d35ed12e41adf365de73ddc7fea6812e3d23e74082b55a4737

SHA512
5c7b5e290297d4e541bbc7b70806335382f525b738e9ae07bce488584bb2aacebdb0bbf92286d7766b2883a7fe62a99e6d9dae960b2447a125b86c746a719182

Download Submit
C:\Windows\temp\cpuz_driver_2820.log

Filesize
2KB

MD5
0cd3226a41068c2b1e79fdb1203090c8

SHA1
3ee02b44fd2a0edf48ae3f54bd53c40af095c984

SHA256
fc14db7ce9580aa86c27a7c2bf9bc1a7f52881f2462a9be0621867612bbc250d

SHA512
8b4de08e6cfd259dec80060b9b59377a8afbfd896f30d130648796a3c9c0bcbcf857f667cb7bc4440ed6d2044624b88eeafc935bc3d6a3b18e678ba7af210432

Download Submit
memory/2820-48-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-44-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-45-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-46-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-47-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-0-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-49-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-50-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-51-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-52-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-53-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-54-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-55-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-56-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/2820-57-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads