cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615

General

Target

cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe
Size

13.5MB
MD5

8b51dc6776d7107152bf6b98ecc44195
SHA1

8a127f154df6aea1d80224c04be37ee5ae4c51af
SHA256

cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615
SHA512

0b26d4e0bbac268d295a65d22beb903c7e14eb576314864a27d855259d64649222e43bc6e4ab5271dc30d766e5a4c20f23f59d60362de78b9f277947a070aed2
SSDEEP

393216:NayqiLvxaN0jU21Ya74sj2Anv+geYYzpKez3BL7+1:bq9AU26aEsj2Axh2pKQ

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

description ioc process

File opened for modification \??\PhysicalDrive0 cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

pid	process
1148	cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe
1148	cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe
1148	cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe
1148	cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

pid process

1148 cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

description pid process

Token: SeDebugPrivilege 1148 cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

description	pid	process
Token: SeDebugPrivilege	1148	cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

pid	process
1148	cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe
1148	cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe

C:\Users\Admin\AppData\Local\Temp\cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe
"C:\Users\Admin\AppData\Local\Temp\cd268529983dfaeb90e0869f9fda79329e257b47a99d25ef4c5997da7263d615.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1148

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1148-0-0x0000000000400000-0x0000000001E58000-memory.dmp

Filesize
26.3MB

Download
memory/1148-1-0x0000000000B57000-0x00000000010D6000-memory.dmp

Filesize
5.5MB

Download
memory/1148-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1148-21-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1148-19-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1148-17-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1148-16-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1148-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1148-12-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1148-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1148-9-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1148-7-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1148-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1148-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1148-42-0x0000000000400000-0x0000000001E58000-memory.dmp

Filesize
26.3MB

Download
memory/1148-41-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1148-39-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1148-36-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1148-34-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1148-31-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1148-29-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1148-26-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1148-24-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1148-44-0x0000000000400000-0x0000000001E58000-memory.dmp

Filesize
26.3MB

Download
memory/1148-45-0x0000000000400000-0x0000000001E58000-memory.dmp

Filesize
26.3MB

Download
memory/1148-46-0x0000000000B57000-0x00000000010D6000-memory.dmp

Filesize
5.5MB

Download
memory/1148-47-0x0000000000400000-0x0000000001E58000-memory.dmp

Filesize
26.3MB

Download

Analysis

Sharing