76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d

General

Target

76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe
Size

152KB
MD5

e8006c0efa0058b3f5afc8b53a06ff4b
SHA1

58ed7fa42e310a85556c3454fa286f59387381d8
SHA256

76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d
SHA512

16da8cedba205cab6f3bb184bb4f1466e71d840f2e30741ce2343a68c9349ce407a8f42d6dffc8aba078add80cf188432802bbcf5f9c4dce12dd77abfdeff8ed
SSDEEP

3072:oZpYg19EeiLLmjempGuCYooEK1JWaCItULG3rt2Wcora4dIC:OPjEl6jLiQ1JW+Oy3p/n

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x003900000001340e-18.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2084	mwffg.exe

Executes dropped EXE 2 IoCs

pid	Process
2084	mwffg.exe
2572	nic.exe

Loads dropped DLL 7 IoCs

pid	Process
2260	cmd.exe
2260	cmd.exe
2084	mwffg.exe
2572	nic.exe
2572	nic.exe
2572	nic.exe
2572	nic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Linycpy = "c:\\Program Files\\shinak\\nic.exe \"c:\\Program Files\\shinak\\nicpf.dll\",SetHandle"	nic.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	nic.exe
File opened (read-only)	\??\v:	nic.exe
File opened (read-only)	\??\x:	nic.exe
File opened (read-only)	\??\z:	nic.exe
File opened (read-only)	\??\g:	nic.exe
File opened (read-only)	\??\i:	nic.exe
File opened (read-only)	\??\l:	nic.exe
File opened (read-only)	\??\o:	nic.exe
File opened (read-only)	\??\r:	nic.exe
File opened (read-only)	\??\a:	nic.exe
File opened (read-only)	\??\b:	nic.exe
File opened (read-only)	\??\m:	nic.exe
File opened (read-only)	\??\p:	nic.exe
File opened (read-only)	\??\t:	nic.exe
File opened (read-only)	\??\w:	nic.exe
File opened (read-only)	\??\h:	nic.exe
File opened (read-only)	\??\k:	nic.exe
File opened (read-only)	\??\n:	nic.exe
File opened (read-only)	\??\s:	nic.exe
File opened (read-only)	\??\y:	nic.exe
File opened (read-only)	\??\e:	nic.exe
File opened (read-only)	\??\j:	nic.exe
File opened (read-only)	\??\q:	nic.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	nic.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	\??\c:\Program Files\shinak\nic.exe	mwffg.exe
File opened for modification	\??\c:\Program Files\shinak\nic.exe	mwffg.exe
File opened for modification	\??\c:\Program Files\shinak	mwffg.exe
File created	\??\c:\Program Files\shinak\nicpf.dll	mwffg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2812	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2572	nic.exe
2572	nic.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	nic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1180	76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe
2084	mwffg.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2260	1180	76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe	28
PID 1180 wrote to memory of 2260	1180	76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe	28
PID 1180 wrote to memory of 2260	1180	76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe	28
PID 1180 wrote to memory of 2260	1180	76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe	28
PID 2260 wrote to memory of 2812	2260	cmd.exe	30
PID 2260 wrote to memory of 2812	2260	cmd.exe	30
PID 2260 wrote to memory of 2812	2260	cmd.exe	30
PID 2260 wrote to memory of 2812	2260	cmd.exe	30
PID 2260 wrote to memory of 2084	2260	cmd.exe	31
PID 2260 wrote to memory of 2084	2260	cmd.exe	31
PID 2260 wrote to memory of 2084	2260	cmd.exe	31
PID 2260 wrote to memory of 2084	2260	cmd.exe	31
PID 2084 wrote to memory of 2572	2084	mwffg.exe	32
PID 2084 wrote to memory of 2572	2084	mwffg.exe	32
PID 2084 wrote to memory of 2572	2084	mwffg.exe	32
PID 2084 wrote to memory of 2572	2084	mwffg.exe	32

C:\Users\Admin\AppData\Local\Temp\76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe
"C:\Users\Admin\AppData\Local\Temp\76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\mwffg.exe "C:\Users\Admin\AppData\Local\Temp\76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\mwffg.exe
    C:\Users\Admin\AppData\Local\Temp\\mwffg.exe "C:\Users\Admin\AppData\Local\Temp\76664c6018506cd76f461cb245004689a64f83e5592738062f5c91720f06fe3d.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - \??\c:\Program Files\shinak\nic.exe
      "c:\Program Files\shinak\nic.exe" "c:\Program Files\shinak\nicpf.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\mwffg.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Program Files\shinak\nicpf.dll

Filesize
128KB

MD5
232ec2f4aba03ca7a2fbc207b202c5c0

SHA1
14ec37095fb8f79c15d677ffb57bc074e98909b4

SHA256
b05c2a2e7f57b80e8b29ca731e88216bd637b6bebe47ab9f3cd553a59136d739

SHA512
e3f1e3dec7b5a847051b1e19f3ddbb5734ca7a358a4c9d88aeb2488d888b3924b972131550c0692c33eaaedc9e6dc464134eb836951a00cbe819663c275fc992

Download Submit
\Program Files\shinak\nic.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\mwffg.exe

Filesize
153KB

MD5
3825c7852f3c94c8f82fb5cd6381c4c2

SHA1
6649472ef369f265ee547db02d0df5f60d5ea422

SHA256
a8961733cb2a5bf28877f9ba52b1ea6193d71e0b0dc0909df405acbe0b8b37f6

SHA512
9e77eba28da16f9e24ff0e0b18c8e761e9fd1d66641cab33fb72cce519a06ac6eaa29c41d8dffa759866bb73388f408af7b18e716f14814d7879434719857087

Download Submit
memory/1180-2-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/1180-0-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/2084-9-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/2084-17-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/2260-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2260-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2572-24-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2572-25-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2572-29-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/2572-30-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads