33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918

General

Target

33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
Size

6.0MB
MD5

5d5b93f25b42d83ccbe3b6d99f1ec66e
SHA1

6eb2a4ac6861856eddd1ab0be1ecb655153948a8
SHA256

33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918
SHA512

b8c93db5c3838859c549c8da3b43152525a0849b1262a03e251d6c1d0096048dd33bb1382fcd1ff1e54305caf7ba0d97ea32994f961b59e2e43b26ea647c730f
SSDEEP

98304:TuBRQ2yBDa74Y15sPc9q/Un5TJ5yNivnAa/6D6J+oTpEBUQGA1Ypvm:s15TJMSBGjtGA18v

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

pid process

4440 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

description ioc process

File opened for modification \??\PhysicalDrive0 33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4296 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4296 taskkill.exe

pid	process
4440	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

pid	process
4296	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4296	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

pid	process
4972	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
4972	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
4440	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
4440	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.execmd.exe

description	pid	process	target process
PID 4972 wrote to memory of 4520	4972	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe	cmd.exe
PID 4972 wrote to memory of 4520	4972	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe	cmd.exe
PID 4972 wrote to memory of 4520	4972	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe	cmd.exe
PID 4520 wrote to memory of 4296	4520	cmd.exe	taskkill.exe
PID 4520 wrote to memory of 4296	4520	cmd.exe	taskkill.exe
PID 4520 wrote to memory of 4296	4520	cmd.exe	taskkill.exe
PID 4520 wrote to memory of 4440	4520	cmd.exe	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
PID 4520 wrote to memory of 4440	4520	cmd.exe	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
PID 4520 wrote to memory of 4440	4520	cmd.exe	33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe

C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
"C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &start "" "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe" &exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\AppData\Local\Temp\33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe
"33ff116d90d0b6ba22a3494893aacfbc09cbdeff9fd23176c0cf2b2c1e0da918.exe"
3⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:8
1⤵
PID:3116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32.lib
Filesize
1.6MB

MD5
031ad1ecd93701d39265771942ec716c

SHA1
cb3ef507bf0e848894fbb96a29bfc94a0c302152

SHA256
9a7fde2ea7883701bf858e0daef74d787a31c3cbd9f1171cec0a3a382ee9e6ba

SHA512
374dab32b6304834c7acd8b5e6701ece016bf57d3abdd416ef2b63f7cbda24c9e59f9dfc27b6823ac6256bbab38aace74334dec7d57f1ef6cb9b80c239003bae

Download Submit
memory/4440-12-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4440-13-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4440-19-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/4440-18-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4440-15-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4440-8-0x0000000000400000-0x0000000000A31000-memory.dmp

Filesize
6.2MB

Download
memory/4440-17-0x0000000000400000-0x0000000000A31000-memory.dmp

Filesize
6.2MB

Download
memory/4440-11-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4440-16-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4440-14-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4972-7-0x0000000000400000-0x0000000000A31000-memory.dmp

Filesize
6.2MB

Download
memory/4972-0-0x0000000000400000-0x0000000000A31000-memory.dmp

Filesize
6.2MB

Download
memory/4972-6-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/4972-5-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/4972-3-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/4972-4-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing