655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db

General

Target

655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe
Size

2.4MB
MD5

2cd650848b8ed89292118ec352cffb8a
SHA1

483311cf57f4277bf508beb1a22c13f1be396621
SHA256

655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db
SHA512

9a07e289405180e4dea6cadfec7dba1f6a1e82a0bf0f32112fe23e641604a7121c0c0067762e138237686a31b7badb5c0955f23ec41d681b3cd8d47ab2857a00
SSDEEP

49152:JoNgRf9tTkvqHWzKVcBd6o6nt2rK09G4lyo0ZacSiLUswRI/CIJO:J+Qf7cqA0bt2rK09cohiLUbQJJO

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe

description ioc process

File opened for modification \??\PhysicalDrive0 655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe

pid	process
1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe
1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe
Token: SeIncreaseQuotaPrivilege	8516	WMIC.exe
Token: SeSecurityPrivilege	8516	WMIC.exe
Token: SeTakeOwnershipPrivilege	8516	WMIC.exe
Token: SeLoadDriverPrivilege	8516	WMIC.exe
Token: SeSystemProfilePrivilege	8516	WMIC.exe
Token: SeSystemtimePrivilege	8516	WMIC.exe
Token: SeProfSingleProcessPrivilege	8516	WMIC.exe
Token: SeIncBasePriorityPrivilege	8516	WMIC.exe
Token: SeCreatePagefilePrivilege	8516	WMIC.exe
Token: SeBackupPrivilege	8516	WMIC.exe
Token: SeRestorePrivilege	8516	WMIC.exe
Token: SeShutdownPrivilege	8516	WMIC.exe
Token: SeDebugPrivilege	8516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8516	WMIC.exe
Token: SeRemoteShutdownPrivilege	8516	WMIC.exe
Token: SeUndockPrivilege	8516	WMIC.exe
Token: SeManageVolumePrivilege	8516	WMIC.exe
Token: 33	8516	WMIC.exe
Token: 34	8516	WMIC.exe
Token: 35	8516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	8516	WMIC.exe
Token: SeSecurityPrivilege	8516	WMIC.exe
Token: SeTakeOwnershipPrivilege	8516	WMIC.exe
Token: SeLoadDriverPrivilege	8516	WMIC.exe
Token: SeSystemProfilePrivilege	8516	WMIC.exe
Token: SeSystemtimePrivilege	8516	WMIC.exe
Token: SeProfSingleProcessPrivilege	8516	WMIC.exe
Token: SeIncBasePriorityPrivilege	8516	WMIC.exe
Token: SeCreatePagefilePrivilege	8516	WMIC.exe
Token: SeBackupPrivilege	8516	WMIC.exe
Token: SeRestorePrivilege	8516	WMIC.exe
Token: SeShutdownPrivilege	8516	WMIC.exe
Token: SeDebugPrivilege	8516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8516	WMIC.exe
Token: SeRemoteShutdownPrivilege	8516	WMIC.exe
Token: SeUndockPrivilege	8516	WMIC.exe
Token: SeManageVolumePrivilege	8516	WMIC.exe
Token: 33	8516	WMIC.exe
Token: 34	8516	WMIC.exe
Token: 35	8516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	8612	WMIC.exe
Token: SeSecurityPrivilege	8612	WMIC.exe
Token: SeTakeOwnershipPrivilege	8612	WMIC.exe
Token: SeLoadDriverPrivilege	8612	WMIC.exe
Token: SeSystemProfilePrivilege	8612	WMIC.exe
Token: SeSystemtimePrivilege	8612	WMIC.exe
Token: SeProfSingleProcessPrivilege	8612	WMIC.exe
Token: SeIncBasePriorityPrivilege	8612	WMIC.exe
Token: SeCreatePagefilePrivilege	8612	WMIC.exe
Token: SeBackupPrivilege	8612	WMIC.exe
Token: SeRestorePrivilege	8612	WMIC.exe
Token: SeShutdownPrivilege	8612	WMIC.exe
Token: SeDebugPrivilege	8612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	8612	WMIC.exe
Token: SeRemoteShutdownPrivilege	8612	WMIC.exe
Token: SeUndockPrivilege	8612	WMIC.exe
Token: SeManageVolumePrivilege	8612	WMIC.exe
Token: 33	8612	WMIC.exe
Token: 34	8612	WMIC.exe
Token: 35	8612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	8612	WMIC.exe
Token: SeSecurityPrivilege	8612	WMIC.exe
Token: SeTakeOwnershipPrivilege	8612	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe

pid	process
1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe
1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe
1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe
1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe
1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1200 wrote to memory of 8492	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 1200 wrote to memory of 8492	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 1200 wrote to memory of 8492	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 1200 wrote to memory of 8492	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 8492 wrote to memory of 8516	8492	cmd.exe	WMIC.exe
PID 8492 wrote to memory of 8516	8492	cmd.exe	WMIC.exe
PID 8492 wrote to memory of 8516	8492	cmd.exe	WMIC.exe
PID 8492 wrote to memory of 8516	8492	cmd.exe	WMIC.exe
PID 1200 wrote to memory of 8588	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 1200 wrote to memory of 8588	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 1200 wrote to memory of 8588	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 1200 wrote to memory of 8588	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 8588 wrote to memory of 8612	8588	cmd.exe	WMIC.exe
PID 8588 wrote to memory of 8612	8588	cmd.exe	WMIC.exe
PID 8588 wrote to memory of 8612	8588	cmd.exe	WMIC.exe
PID 8588 wrote to memory of 8612	8588	cmd.exe	WMIC.exe
PID 1200 wrote to memory of 8644	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 1200 wrote to memory of 8644	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 1200 wrote to memory of 8644	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 1200 wrote to memory of 8644	1200	655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe	cmd.exe
PID 8644 wrote to memory of 8668	8644	cmd.exe	WMIC.exe
PID 8644 wrote to memory of 8668	8644	cmd.exe	WMIC.exe
PID 8644 wrote to memory of 8668	8644	cmd.exe	WMIC.exe
PID 8644 wrote to memory of 8668	8644	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe
"C:\Users\Admin\AppData\Local\Temp\655547df4376249872af0ac25dc35b9c8c33fbf261a2c16c6510d20ec2fdb8db.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic cpu get name/value
2⤵
- Suspicious use of WriteProcessMemory
PID:8492

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
2⤵
- Suspicious use of WriteProcessMemory
PID:8588

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic Path Win32_DisplayConfiguration get DeviceName/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:8612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
2⤵
- Suspicious use of WriteProcessMemory
PID:8644

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
3⤵
PID:8668

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1200-1-0x0000000074E40000-0x0000000074E87000-memory.dmp

Filesize
284KB

Download
memory/1200-503-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-506-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-510-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-514-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-518-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-522-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-524-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-526-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-530-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-534-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-536-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-542-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-546-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-552-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-556-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-560-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-564-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-562-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-558-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-554-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-550-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-548-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-544-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-540-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-538-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-532-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-528-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-520-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-516-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-512-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-508-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-504-0x0000000002720000-0x0000000002831000-memory.dmp

Filesize
1.1MB

Download
memory/1200-2239-0x0000000002470000-0x00000000025F1000-memory.dmp

Filesize
1.5MB

Download
memory/1200-7792-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads