75f17b7472b10d465ca8a978d2cea8522e5675b376ba8743b36437990bc078bb

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
Size

19.8MB
MD5

1a5bd43c86e59b1849bdf8da1eb9f9b8
SHA1

2d9240c02b9ef845338761cd0398bae5a9aa89d0
SHA256

75f17b7472b10d465ca8a978d2cea8522e5675b376ba8743b36437990bc078bb
SHA512

f5b1da9d8119d3c0a2fdaf1c7d0bd6b4165531eae3426126b587d5d530969511f29ef4d4ef7d91949b905d10544a61ffb06cc9759e0f76adc12b4f4902d7434f
SSDEEP

393216:e0O5hIi4IUZzF8FcRIZHpKZgzLxNweoxyWTQZRoThwcHrmu3N:UyZz9RSHEZgHPybH

Score

9^/10

bootkit persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SdsData\res2\bootice.exe	UPX
behavioral2/memory/2460-112-0x0000000000CC0000-0x0000000000E03000-memory.dmp	UPX
behavioral2/memory/2460-120-0x0000000000CC0000-0x0000000000E03000-memory.dmp	UPX
behavioral2/memory/3444-136-0x0000000000CC0000-0x0000000000E03000-memory.dmp	UPX
behavioral2/memory/3444-139-0x0000000000CC0000-0x0000000000E03000-memory.dmp	UPX

Executes dropped EXE 5 IoCs

Processes:

7z.exeMiniThunderPlatform.exebootice.exeUSORT.EXEbootice.exe

pid process

1192 7z.exe
2412 MiniThunderPlatform.exe
2460 bootice.exe
2332 USORT.EXE
3444 bootice.exe

Loads dropped DLL 12 IoCs

Processes:

7z.exe2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exeMiniThunderPlatform.exe

pid	process
1192	7z.exe
3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
2412	MiniThunderPlatform.exe
2412	MiniThunderPlatform.exe
2412	MiniThunderPlatform.exe
2412	MiniThunderPlatform.exe
2412	MiniThunderPlatform.exe
2412	MiniThunderPlatform.exe
2412	MiniThunderPlatform.exe
2412	MiniThunderPlatform.exe
2412	MiniThunderPlatform.exe
2412	MiniThunderPlatform.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SdsData\res2\bootice.exe	upx
behavioral2/memory/2460-112-0x0000000000CC0000-0x0000000000E03000-memory.dmp	upx
behavioral2/memory/2460-120-0x0000000000CC0000-0x0000000000E03000-memory.dmp	upx
behavioral2/memory/3444-136-0x0000000000CC0000-0x0000000000E03000-memory.dmp	upx
behavioral2/memory/3444-139-0x0000000000CC0000-0x0000000000E03000-memory.dmp	upx

Enumerates connected drives 3 TTPs 27 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exebootice.exebootice.exe

description	ioc	process
File opened (read-only)	\??\Y:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\D:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\N:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\P:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\F:	bootice.exe
File opened (read-only)	\??\Z:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\E:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\F:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\H:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\W:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\G:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\K:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\O:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\R:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\U:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\X:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\B:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\I:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\A:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\J:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\M:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\Q:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\V:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\F:	bootice.exe
File opened (read-only)	\??\S:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\L:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
File opened (read-only)	\??\T:	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MiniThunderPlatform.exeUSORT.EXE

description ioc process

File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe
File opened for modification \??\PhysicalDrive0 USORT.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe
File opened for modification	\??\PhysicalDrive0	USORT.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exePowerShell.exe

pid	process
3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
4240	PowerShell.exe
4240	PowerShell.exe
4240	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bootice.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2460	bootice.exe
Token: SeAuditPrivilege	2460	bootice.exe
Token: SeSecurityPrivilege	2460	bootice.exe
Token: SeBackupPrivilege	2460	bootice.exe
Token: SeRestorePrivilege	2460	bootice.exe
Token: SeTakeOwnershipPrivilege	2460	bootice.exe
Token: SeManageVolumePrivilege	2460	bootice.exe
Token: SeSystemEnvironmentPrivilege	2460	bootice.exe
Token: SeShutdownPrivilege	2460	bootice.exe
Token: SeIncreaseQuotaPrivilege	3208	wmic.exe
Token: SeSecurityPrivilege	3208	wmic.exe
Token: SeTakeOwnershipPrivilege	3208	wmic.exe
Token: SeLoadDriverPrivilege	3208	wmic.exe
Token: SeSystemProfilePrivilege	3208	wmic.exe
Token: SeSystemtimePrivilege	3208	wmic.exe
Token: SeProfSingleProcessPrivilege	3208	wmic.exe
Token: SeIncBasePriorityPrivilege	3208	wmic.exe
Token: SeCreatePagefilePrivilege	3208	wmic.exe
Token: SeBackupPrivilege	3208	wmic.exe
Token: SeRestorePrivilege	3208	wmic.exe
Token: SeShutdownPrivilege	3208	wmic.exe
Token: SeDebugPrivilege	3208	wmic.exe
Token: SeSystemEnvironmentPrivilege	3208	wmic.exe
Token: SeRemoteShutdownPrivilege	3208	wmic.exe
Token: SeUndockPrivilege	3208	wmic.exe
Token: SeManageVolumePrivilege	3208	wmic.exe
Token: 33	3208	wmic.exe
Token: 34	3208	wmic.exe
Token: 35	3208	wmic.exe
Token: 36	3208	wmic.exe
Token: SeIncreaseQuotaPrivilege	3208	wmic.exe
Token: SeSecurityPrivilege	3208	wmic.exe
Token: SeTakeOwnershipPrivilege	3208	wmic.exe
Token: SeLoadDriverPrivilege	3208	wmic.exe
Token: SeSystemProfilePrivilege	3208	wmic.exe
Token: SeSystemtimePrivilege	3208	wmic.exe
Token: SeProfSingleProcessPrivilege	3208	wmic.exe
Token: SeIncBasePriorityPrivilege	3208	wmic.exe
Token: SeCreatePagefilePrivilege	3208	wmic.exe
Token: SeBackupPrivilege	3208	wmic.exe
Token: SeRestorePrivilege	3208	wmic.exe
Token: SeShutdownPrivilege	3208	wmic.exe
Token: SeDebugPrivilege	3208	wmic.exe
Token: SeSystemEnvironmentPrivilege	3208	wmic.exe
Token: SeRemoteShutdownPrivilege	3208	wmic.exe
Token: SeUndockPrivilege	3208	wmic.exe
Token: SeManageVolumePrivilege	3208	wmic.exe
Token: 33	3208	wmic.exe
Token: 34	3208	wmic.exe
Token: 35	3208	wmic.exe
Token: 36	3208	wmic.exe
Token: SeIncreaseQuotaPrivilege	1752	wmic.exe
Token: SeSecurityPrivilege	1752	wmic.exe
Token: SeTakeOwnershipPrivilege	1752	wmic.exe
Token: SeLoadDriverPrivilege	1752	wmic.exe
Token: SeSystemProfilePrivilege	1752	wmic.exe
Token: SeSystemtimePrivilege	1752	wmic.exe
Token: SeProfSingleProcessPrivilege	1752	wmic.exe
Token: SeIncBasePriorityPrivilege	1752	wmic.exe
Token: SeCreatePagefilePrivilege	1752	wmic.exe
Token: SeBackupPrivilege	1752	wmic.exe
Token: SeRestorePrivilege	1752	wmic.exe
Token: SeShutdownPrivilege	1752	wmic.exe
Token: SeDebugPrivilege	1752	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3320 wrote to memory of 548	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 548	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 548	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 548 wrote to memory of 1192	548	cmd.exe	7z.exe
PID 548 wrote to memory of 1192	548	cmd.exe	7z.exe
PID 548 wrote to memory of 1192	548	cmd.exe	7z.exe
PID 3320 wrote to memory of 2412	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	MiniThunderPlatform.exe
PID 3320 wrote to memory of 2412	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	MiniThunderPlatform.exe
PID 3320 wrote to memory of 2412	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	MiniThunderPlatform.exe
PID 3320 wrote to memory of 1724	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 1724	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 1724	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 3208	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	wmic.exe
PID 3320 wrote to memory of 3208	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	wmic.exe
PID 3320 wrote to memory of 3208	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	wmic.exe
PID 1724 wrote to memory of 2460	1724	cmd.exe	bootice.exe
PID 1724 wrote to memory of 2460	1724	cmd.exe	bootice.exe
PID 1724 wrote to memory of 2460	1724	cmd.exe	bootice.exe
PID 3320 wrote to memory of 1648	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 1648	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 1648	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 1752	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	wmic.exe
PID 3320 wrote to memory of 1752	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	wmic.exe
PID 3320 wrote to memory of 1752	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	wmic.exe
PID 1648 wrote to memory of 2332	1648	cmd.exe	USORT.EXE
PID 1648 wrote to memory of 2332	1648	cmd.exe	USORT.EXE
PID 1648 wrote to memory of 2332	1648	cmd.exe	USORT.EXE
PID 3320 wrote to memory of 4800	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 4800	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 4800	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 4800 wrote to memory of 1180	4800	cmd.exe	WMIC.exe
PID 4800 wrote to memory of 1180	4800	cmd.exe	WMIC.exe
PID 4800 wrote to memory of 1180	4800	cmd.exe	WMIC.exe
PID 3320 wrote to memory of 1384	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 1384	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 1384	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 1384 wrote to memory of 1292	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1292	1384	cmd.exe	WMIC.exe
PID 1384 wrote to memory of 1292	1384	cmd.exe	WMIC.exe
PID 3320 wrote to memory of 4208	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 4208	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 4208	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 4208 wrote to memory of 4588	4208	cmd.exe	WMIC.exe
PID 4208 wrote to memory of 4588	4208	cmd.exe	WMIC.exe
PID 4208 wrote to memory of 4588	4208	cmd.exe	WMIC.exe
PID 3320 wrote to memory of 2616	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 2616	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 2616	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 2616 wrote to memory of 808	2616	cmd.exe	WMIC.exe
PID 2616 wrote to memory of 808	2616	cmd.exe	WMIC.exe
PID 2616 wrote to memory of 808	2616	cmd.exe	WMIC.exe
PID 3320 wrote to memory of 4628	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 4628	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 4628	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 4628 wrote to memory of 2780	4628	cmd.exe	WMIC.exe
PID 4628 wrote to memory of 2780	4628	cmd.exe	WMIC.exe
PID 4628 wrote to memory of 2780	4628	cmd.exe	WMIC.exe
PID 3320 wrote to memory of 4540	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 4540	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 3320 wrote to memory of 4540	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	cmd.exe
PID 4540 wrote to memory of 3444	4540	cmd.exe	bootice.exe
PID 4540 wrote to memory of 3444	4540	cmd.exe	bootice.exe
PID 4540 wrote to memory of 3444	4540	cmd.exe	bootice.exe
PID 3320 wrote to memory of 3556	3320	2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_1a5bd43c86e59b1849bdf8da1eb9f9b8_magniber_revil.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SdsData\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\SdsData\Resouce.7z" -aoa"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\SdsData\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\SdsData\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\SdsData\Resouce.7z" -aoa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1192
- C:\Users\Admin\AppData\Local\Temp\SdsData\download\MiniThunderPlatform.exe
  "C:\Users\Admin\AppData\Local\Temp\SdsData\download\MiniThunderPlatform.exe" -StartTP
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SdsData\res2\BOOTICE.exe" /diskinfo /list: /file=test.ini"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\SdsData\res2\bootice.exe
    "C:\Users\Admin\AppData\Local\Temp\SdsData\res2\BOOTICE.exe" /diskinfo /list: /file=test.ini
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" baseboard list full
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SdsData\res2\USORT.EXE -mohong
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\SdsData\res2\USORT.EXE
    C:\Users\Admin\AppData\Local\Temp\SdsData\res2\USORT.EXE -mohong
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2332
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic BaseBoard get Manufacturer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BaseBoard get Manufacturer
    3⤵
    PID:1180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic BaseBoard get Product
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BaseBoard get Product
    3⤵
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic BaseBoard get Manufacturer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BaseBoard get Manufacturer
    3⤵
    PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic BaseBoard get Product
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BaseBoard get Product
    3⤵
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic memorychip get speed
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic memorychip get speed
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SdsData\res2\BOOTICE.exe" /diskinfo /list: /file=test.ini"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\SdsData\res2\bootice.exe
    "C:\Users\Admin\AppData\Local\Temp\SdsData\res2\BOOTICE.exe" /diskinfo /list: /file=test.ini
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:3444
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic BaseBoard get Manufacturer
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BaseBoard get Manufacturer
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c wmic BaseBoard get Product
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BaseBoard get Product
    3⤵
    PID:4420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe /c "Get-BitLockerVolume"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SdsData\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\Resouce.7z

Filesize
5.3MB

MD5
f6e006c22adc4e3476e4bdb2dc55828e

SHA1
aaa7f6ad7e7c8279a8fae3436f92a92b686ac9b7

SHA256
de4d1d7d51fb59fca94e24e7f60acce1294b418abebfa5d8c26d79f5b238ec30

SHA512
09d3e7ffe52b7090d0da985b4a4f2bf7f4ff02442826cb0dc57cff45d33a934cdde8683bfcc666a729d4f12da630c9dfb85048580bac2d0a77cf2396be4d75bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\ATL71.DLL

Filesize
87KB

MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\MSVCP71.dll

Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\MSVCR71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\MiniThunderPlatform.exe

Filesize
262KB

MD5
0c8f2b0ee5bf990c6541025e94985c9f

SHA1
be942f5fef752b0070ba97998bfe763b96529aa2

SHA256
12d6cc86fdc69e1aa8d94d38715bbe271994c0f86f85283fa2190da7c322f4c8

SHA512
7b0e81149fafa88050a125155732057190d8f93e8d62cb05a68da9cf24e30228f14d0ffd888c0362bffd5872e970200098e75572b2819abeea10022ab1a264f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\XLBugHandler.dll

Filesize
98KB

MD5
92154e720998acb6fa0f7bad63309470

SHA1
385817793b9f894ca3dd3bac20b269652df6cbc6

SHA256
1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

SHA512
37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\XLBugReport.exe

Filesize
242KB

MD5
67c767470d0893c4a2e46be84c9afcbb

SHA1
00291089b13a93f82ee49a11156521f13ea605cd

SHA256
64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0

SHA512
d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\dl_peer_id.dll

Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\download_engine.dll

Filesize
3.4MB

MD5
1a87ff238df9ea26e76b56f34e18402c

SHA1
2df48c31f3b3adb118f6472b5a2dc3081b302d7c

SHA256
abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964

SHA512
b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\id.dat

Filesize
40B

MD5
0be78c38021ed1585770f4709c75958b

SHA1
e9e3096e7cecdeadd5e69d714f0bb8ff2191521e

SHA256
d8c1f72b74bf08838080118c897b8fd50046edf036a045813bb9cc082dbf4a5d

SHA512
38da85702b15cb2020129c2dd88db8ffd6ec46d7c5d8c3a35717a9f186a83de71e90827e5c943972f211b0cd2a4b6366260d3c525591150f1237d979578c4d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\download\zlib1.dll

Filesize
58KB

MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\res2\USORT.EXE

Filesize
23KB

MD5
0cb9c0329fefacfd49c0f76c41c12b42

SHA1
35f3503e41adb04bb61fdc7a6a111b06522f8655

SHA256
173eea9ed8cfb54b85795b6de94dce01be1132ef7cfced9825a7632cb19c7c2d

SHA512
461140c9bcc6cbb46f0e827b6079775ffd68ff76a9ed5788baa20e373ce84a8dfaecc8ed60fa28392002551cbbdb4fda3c954290f8a3a281c31ad7ba91345d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\res2\bootice.exe

Filesize
416KB

MD5
0e72509b2d5c55093e2c9ad141067644

SHA1
4470a289016e2815777d3eec2bf7f985730249cd

SHA256
a65ecb7bcb0fbc02ecc72300e10a36171c55ff322de5f6390669973bf49a2587

SHA512
3ceebfc64649c7a325fbfdfefaeb437a742e005ab270ca614a2c3907b02cf61a55f42f0b1d9b0f66e2a4bffa22b29d6f64625ef03fd179958429303995be1b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\res2\test.ini

Filesize
79B

MD5
ff41ee833776cc2413f72c73205d9409

SHA1
e06ce48da839ff631f8f8ec2437991c6f89077c5

SHA256
73e28c2628bceebbf8b0c683998217bf82806c707c6427bd900096192eef3e75

SHA512
287647895f197def978475e292440882281c8b8d0f999bff0ef2b2194094db72fd5ff9a8f189f033359e3a47f7cc6c2fe5f07bb8b7c24d659c5160ffa4a5d1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\SdsData\xldl.dll

Filesize
286KB

MD5
40e8d381da7c2badc4b6f0cdb4b5378f

SHA1
3646338c6a20f17bf4383a8d053ce37681df8ead

SHA256
cb0b0c42dae0a1e946f97f6bda522eb5ad943cb632ba3d19f597ecb3e1f5eb94

SHA512
68dc5128d2e90885ca0e69dced80254e87ab765faefaf152b3cf452b37fb730ec146d4930342ced3f227bd7622a93592526d73567155346de14cd76e5180e7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vjsq51rb.wtv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\cookie

Filesize
135B

MD5
fc31b34eb1f36e5ff23be7f4621aa04e

SHA1
cef8d9c3577f04c9e102f942ee9bbe98dec50df5

SHA256
be7a52d6d1b2e5e2c7a9e338f3ab71b4b2e76797f19cc06d5899aece2701365b

SHA512
c5289e754453876b9646124952850f27325af5345c7522b9478a51c794277d5d0fa55cc105cbcab4dd72a2f76b107b97cea49a0296512c086412ddeb92441a65

Download Submit
memory/2332-125-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2412-83-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2412-99-0x0000000002700000-0x0000000002A60000-memory.dmp

Filesize
3.4MB

Download
memory/2412-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2412-189-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2460-112-0x0000000000CC0000-0x0000000000E03000-memory.dmp

Filesize
1.3MB

Download
memory/2460-120-0x0000000000CC0000-0x0000000000E03000-memory.dmp

Filesize
1.3MB

Download
memory/3444-136-0x0000000000CC0000-0x0000000000E03000-memory.dmp

Filesize
1.3MB

Download
memory/3444-139-0x0000000000CC0000-0x0000000000E03000-memory.dmp

Filesize
1.3MB

Download
memory/4240-158-0x0000000005D80000-0x00000000060D4000-memory.dmp

Filesize
3.3MB

Download
memory/4240-173-0x0000000007450000-0x000000000746E000-memory.dmp

Filesize
120KB

Download
memory/4240-148-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/4240-146-0x0000000005240000-0x0000000005262000-memory.dmp

Filesize
136KB

Download
memory/4240-144-0x00000000053F0000-0x0000000005A18000-memory.dmp

Filesize
6.2MB

Download
memory/4240-159-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/4240-160-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/4240-162-0x0000000006850000-0x0000000006882000-memory.dmp

Filesize
200KB

Download
memory/4240-163-0x0000000072FE0000-0x000000007302C000-memory.dmp

Filesize
304KB

Download
memory/4240-147-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/4240-174-0x0000000007470000-0x0000000007513000-memory.dmp

Filesize
652KB

Download
memory/4240-175-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/4240-176-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/4240-177-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/4240-178-0x00000000077C0000-0x00000000077EA000-memory.dmp

Filesize
168KB

Download
memory/4240-179-0x00000000077F0000-0x0000000007814000-memory.dmp

Filesize
144KB

Download
memory/4240-143-0x0000000004C30000-0x0000000004C66000-memory.dmp

Filesize
216KB

Download