6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8

General

Target

6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe
Size

2.4MB
MD5

7af82424a071ac8c9913c5c803bac1c7
SHA1

abf4d0f039e730fe96c6e81f41d6b6df5ad910f7
SHA256

6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8
SHA512

1d3758dbe187af88540fde1620b32127f3ed861b438d64836f8433912fe4b6d8a3304dcea9bd76db1c372ba34c94dd2b5cc9e4b7f9d50981fad429e513a71c42
SSDEEP

49152:JoNgRf9tTkvqHWzKVcBd6o6nt2rK09G4lyo0ZacSiLUswRI/CIJY:J+Qf7cqA0bt2rK09cohiLUbQJJY

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe

description ioc process

File opened for modification \??\PhysicalDrive0 6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe

pid	process
2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe
2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe
Token: SeIncreaseQuotaPrivilege	1784	WMIC.exe
Token: SeSecurityPrivilege	1784	WMIC.exe
Token: SeTakeOwnershipPrivilege	1784	WMIC.exe
Token: SeLoadDriverPrivilege	1784	WMIC.exe
Token: SeSystemProfilePrivilege	1784	WMIC.exe
Token: SeSystemtimePrivilege	1784	WMIC.exe
Token: SeProfSingleProcessPrivilege	1784	WMIC.exe
Token: SeIncBasePriorityPrivilege	1784	WMIC.exe
Token: SeCreatePagefilePrivilege	1784	WMIC.exe
Token: SeBackupPrivilege	1784	WMIC.exe
Token: SeRestorePrivilege	1784	WMIC.exe
Token: SeShutdownPrivilege	1784	WMIC.exe
Token: SeDebugPrivilege	1784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1784	WMIC.exe
Token: SeRemoteShutdownPrivilege	1784	WMIC.exe
Token: SeUndockPrivilege	1784	WMIC.exe
Token: SeManageVolumePrivilege	1784	WMIC.exe
Token: 33	1784	WMIC.exe
Token: 34	1784	WMIC.exe
Token: 35	1784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1784	WMIC.exe
Token: SeSecurityPrivilege	1784	WMIC.exe
Token: SeTakeOwnershipPrivilege	1784	WMIC.exe
Token: SeLoadDriverPrivilege	1784	WMIC.exe
Token: SeSystemProfilePrivilege	1784	WMIC.exe
Token: SeSystemtimePrivilege	1784	WMIC.exe
Token: SeProfSingleProcessPrivilege	1784	WMIC.exe
Token: SeIncBasePriorityPrivilege	1784	WMIC.exe
Token: SeCreatePagefilePrivilege	1784	WMIC.exe
Token: SeBackupPrivilege	1784	WMIC.exe
Token: SeRestorePrivilege	1784	WMIC.exe
Token: SeShutdownPrivilege	1784	WMIC.exe
Token: SeDebugPrivilege	1784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1784	WMIC.exe
Token: SeRemoteShutdownPrivilege	1784	WMIC.exe
Token: SeUndockPrivilege	1784	WMIC.exe
Token: SeManageVolumePrivilege	1784	WMIC.exe
Token: 33	1784	WMIC.exe
Token: 34	1784	WMIC.exe
Token: 35	1784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	380	WMIC.exe
Token: SeSecurityPrivilege	380	WMIC.exe
Token: SeTakeOwnershipPrivilege	380	WMIC.exe
Token: SeLoadDriverPrivilege	380	WMIC.exe
Token: SeSystemProfilePrivilege	380	WMIC.exe
Token: SeSystemtimePrivilege	380	WMIC.exe
Token: SeProfSingleProcessPrivilege	380	WMIC.exe
Token: SeIncBasePriorityPrivilege	380	WMIC.exe
Token: SeCreatePagefilePrivilege	380	WMIC.exe
Token: SeBackupPrivilege	380	WMIC.exe
Token: SeRestorePrivilege	380	WMIC.exe
Token: SeShutdownPrivilege	380	WMIC.exe
Token: SeDebugPrivilege	380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	380	WMIC.exe
Token: SeRemoteShutdownPrivilege	380	WMIC.exe
Token: SeUndockPrivilege	380	WMIC.exe
Token: SeManageVolumePrivilege	380	WMIC.exe
Token: 33	380	WMIC.exe
Token: 34	380	WMIC.exe
Token: 35	380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	380	WMIC.exe
Token: SeSecurityPrivilege	380	WMIC.exe
Token: SeTakeOwnershipPrivilege	380	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe

pid	process
2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe
2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe
2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe
2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe
2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2356 wrote to memory of 11260	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 2356 wrote to memory of 11260	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 2356 wrote to memory of 11260	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 2356 wrote to memory of 11260	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 11260 wrote to memory of 1784	11260	cmd.exe	WMIC.exe
PID 11260 wrote to memory of 1784	11260	cmd.exe	WMIC.exe
PID 11260 wrote to memory of 1784	11260	cmd.exe	WMIC.exe
PID 11260 wrote to memory of 1784	11260	cmd.exe	WMIC.exe
PID 2356 wrote to memory of 924	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 2356 wrote to memory of 924	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 2356 wrote to memory of 924	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 2356 wrote to memory of 924	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 924 wrote to memory of 380	924	cmd.exe	WMIC.exe
PID 924 wrote to memory of 380	924	cmd.exe	WMIC.exe
PID 924 wrote to memory of 380	924	cmd.exe	WMIC.exe
PID 924 wrote to memory of 380	924	cmd.exe	WMIC.exe
PID 2356 wrote to memory of 1648	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 2356 wrote to memory of 1648	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 2356 wrote to memory of 1648	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 2356 wrote to memory of 1648	2356	6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe	cmd.exe
PID 1648 wrote to memory of 1168	1648	cmd.exe	WMIC.exe
PID 1648 wrote to memory of 1168	1648	cmd.exe	WMIC.exe
PID 1648 wrote to memory of 1168	1648	cmd.exe	WMIC.exe
PID 1648 wrote to memory of 1168	1648	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe
"C:\Users\Admin\AppData\Local\Temp\6711240c87650fa1c068a6e0bd33a8a00d06adfa390212221c5c7847fcdf72d8.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic cpu get name/value
2⤵
- Suspicious use of WriteProcessMemory
PID:11260

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
2⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic Path Win32_DisplayConfiguration get DeviceName/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
3⤵
PID:1168

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2356-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2356-1-0x0000000075590000-0x00000000755D7000-memory.dmp

Filesize
284KB

Download
memory/2356-503-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-504-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-508-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-529-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-507-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-522-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-526-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-532-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-530-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-540-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-524-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-520-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-554-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-518-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-516-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-514-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-512-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-510-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-564-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-562-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-560-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-558-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-557-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-552-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-550-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-548-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-546-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-544-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-542-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-538-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-536-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-534-0x00000000028C0000-0x00000000029D1000-memory.dmp

Filesize
1.1MB

Download
memory/2356-2239-0x0000000002610000-0x0000000002791000-memory.dmp

Filesize
1.5MB

Download
memory/2356-7991-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads