563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1

General

Target

563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe
Size

2.4MB
MD5

d40916bebe140e7cf46c97deff03edbf
SHA1

fcd389a0a54f26783985f9be93260b353001acda
SHA256

563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1
SHA512

9dec298d8fd8d5a3eba3af618f87a037445911ffbf7d62ee492f9c0a1e34897520fe7506b9a3881f66fb736ef1717c2efe9018054fd27112fd0a438be2c8ccca
SSDEEP

49152:JoNgRf9tTkvqHWzKVcBd6o6nt2rK09G4lyo0ZacSiLUswRI/CIJM:J+Qf7cqA0bt2rK09cohiLUbQJJM

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe

description ioc process

File opened for modification \??\PhysicalDrive0 563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe

pid	process
1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe
1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe
Token: SeIncreaseQuotaPrivilege	7772	WMIC.exe
Token: SeSecurityPrivilege	7772	WMIC.exe
Token: SeTakeOwnershipPrivilege	7772	WMIC.exe
Token: SeLoadDriverPrivilege	7772	WMIC.exe
Token: SeSystemProfilePrivilege	7772	WMIC.exe
Token: SeSystemtimePrivilege	7772	WMIC.exe
Token: SeProfSingleProcessPrivilege	7772	WMIC.exe
Token: SeIncBasePriorityPrivilege	7772	WMIC.exe
Token: SeCreatePagefilePrivilege	7772	WMIC.exe
Token: SeBackupPrivilege	7772	WMIC.exe
Token: SeRestorePrivilege	7772	WMIC.exe
Token: SeShutdownPrivilege	7772	WMIC.exe
Token: SeDebugPrivilege	7772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7772	WMIC.exe
Token: SeRemoteShutdownPrivilege	7772	WMIC.exe
Token: SeUndockPrivilege	7772	WMIC.exe
Token: SeManageVolumePrivilege	7772	WMIC.exe
Token: 33	7772	WMIC.exe
Token: 34	7772	WMIC.exe
Token: 35	7772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7772	WMIC.exe
Token: SeSecurityPrivilege	7772	WMIC.exe
Token: SeTakeOwnershipPrivilege	7772	WMIC.exe
Token: SeLoadDriverPrivilege	7772	WMIC.exe
Token: SeSystemProfilePrivilege	7772	WMIC.exe
Token: SeSystemtimePrivilege	7772	WMIC.exe
Token: SeProfSingleProcessPrivilege	7772	WMIC.exe
Token: SeIncBasePriorityPrivilege	7772	WMIC.exe
Token: SeCreatePagefilePrivilege	7772	WMIC.exe
Token: SeBackupPrivilege	7772	WMIC.exe
Token: SeRestorePrivilege	7772	WMIC.exe
Token: SeShutdownPrivilege	7772	WMIC.exe
Token: SeDebugPrivilege	7772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7772	WMIC.exe
Token: SeRemoteShutdownPrivilege	7772	WMIC.exe
Token: SeUndockPrivilege	7772	WMIC.exe
Token: SeManageVolumePrivilege	7772	WMIC.exe
Token: 33	7772	WMIC.exe
Token: 34	7772	WMIC.exe
Token: 35	7772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7876	WMIC.exe
Token: SeSecurityPrivilege	7876	WMIC.exe
Token: SeTakeOwnershipPrivilege	7876	WMIC.exe
Token: SeLoadDriverPrivilege	7876	WMIC.exe
Token: SeSystemProfilePrivilege	7876	WMIC.exe
Token: SeSystemtimePrivilege	7876	WMIC.exe
Token: SeProfSingleProcessPrivilege	7876	WMIC.exe
Token: SeIncBasePriorityPrivilege	7876	WMIC.exe
Token: SeCreatePagefilePrivilege	7876	WMIC.exe
Token: SeBackupPrivilege	7876	WMIC.exe
Token: SeRestorePrivilege	7876	WMIC.exe
Token: SeShutdownPrivilege	7876	WMIC.exe
Token: SeDebugPrivilege	7876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7876	WMIC.exe
Token: SeRemoteShutdownPrivilege	7876	WMIC.exe
Token: SeUndockPrivilege	7876	WMIC.exe
Token: SeManageVolumePrivilege	7876	WMIC.exe
Token: 33	7876	WMIC.exe
Token: 34	7876	WMIC.exe
Token: 35	7876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7876	WMIC.exe
Token: SeSecurityPrivilege	7876	WMIC.exe
Token: SeTakeOwnershipPrivilege	7876	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe

pid	process
1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe
1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe
1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe
1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe
1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 7748	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 1612 wrote to memory of 7748	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 1612 wrote to memory of 7748	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 1612 wrote to memory of 7748	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 7748 wrote to memory of 7772	7748	cmd.exe	WMIC.exe
PID 7748 wrote to memory of 7772	7748	cmd.exe	WMIC.exe
PID 7748 wrote to memory of 7772	7748	cmd.exe	WMIC.exe
PID 7748 wrote to memory of 7772	7748	cmd.exe	WMIC.exe
PID 1612 wrote to memory of 7852	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 1612 wrote to memory of 7852	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 1612 wrote to memory of 7852	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 1612 wrote to memory of 7852	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 7852 wrote to memory of 7876	7852	cmd.exe	WMIC.exe
PID 7852 wrote to memory of 7876	7852	cmd.exe	WMIC.exe
PID 7852 wrote to memory of 7876	7852	cmd.exe	WMIC.exe
PID 7852 wrote to memory of 7876	7852	cmd.exe	WMIC.exe
PID 1612 wrote to memory of 7908	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 1612 wrote to memory of 7908	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 1612 wrote to memory of 7908	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 1612 wrote to memory of 7908	1612	563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe	cmd.exe
PID 7908 wrote to memory of 7932	7908	cmd.exe	WMIC.exe
PID 7908 wrote to memory of 7932	7908	cmd.exe	WMIC.exe
PID 7908 wrote to memory of 7932	7908	cmd.exe	WMIC.exe
PID 7908 wrote to memory of 7932	7908	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe
"C:\Users\Admin\AppData\Local\Temp\563276c2b6466b12707c4ebc8a630ff16f95a668ffcbbef4faf74888941754e1.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic cpu get name/value
2⤵
- Suspicious use of WriteProcessMemory
PID:7748

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
2⤵
- Suspicious use of WriteProcessMemory
PID:7852

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic Path Win32_DisplayConfiguration get DeviceName/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
2⤵
- Suspicious use of WriteProcessMemory
PID:7908

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
3⤵
PID:7932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1612-1-0x0000000076A90000-0x0000000076AD7000-memory.dmp

Filesize
284KB

Download
memory/1612-510-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-503-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-534-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-504-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-550-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-506-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-564-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-508-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-512-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-518-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-562-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-560-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-558-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-556-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-554-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-552-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-548-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-546-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-544-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-542-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-540-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-538-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-536-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-532-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-530-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-528-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-526-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-524-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-522-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-520-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-516-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-514-0x0000000002850000-0x0000000002961000-memory.dmp

Filesize
1.1MB

Download
memory/1612-2239-0x00000000025A0000-0x0000000002721000-memory.dmp

Filesize
1.5MB

Download
memory/1612-7792-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads