772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e

General

Target

772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe
Size

2.4MB
MD5

0c693cbec94add5ed4ff008efac5bd07
SHA1

90d60078f5c5d0be44655e5da14521abfd19f71c
SHA256

772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e
SHA512

5772b46702695633c4bf69d1e66305a8378f99f07b64323341e5b5fdce985f7395d01f07fcd6a24a11f8663d7f3c047df892422d6d9ce1ca1220df279ec41760
SSDEEP

49152:JoNgRf9tTkvqHWzKVcBd6o6nt2rK09G4lyo0ZacSiLUswRI/CIJq:J+Qf7cqA0bt2rK09cohiLUbQJJq

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe

description ioc process

File opened for modification \??\PhysicalDrive0 772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe

pid	process
2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe
2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe
Token: SeIncreaseQuotaPrivilege	5316	WMIC.exe
Token: SeSecurityPrivilege	5316	WMIC.exe
Token: SeTakeOwnershipPrivilege	5316	WMIC.exe
Token: SeLoadDriverPrivilege	5316	WMIC.exe
Token: SeSystemProfilePrivilege	5316	WMIC.exe
Token: SeSystemtimePrivilege	5316	WMIC.exe
Token: SeProfSingleProcessPrivilege	5316	WMIC.exe
Token: SeIncBasePriorityPrivilege	5316	WMIC.exe
Token: SeCreatePagefilePrivilege	5316	WMIC.exe
Token: SeBackupPrivilege	5316	WMIC.exe
Token: SeRestorePrivilege	5316	WMIC.exe
Token: SeShutdownPrivilege	5316	WMIC.exe
Token: SeDebugPrivilege	5316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5316	WMIC.exe
Token: SeRemoteShutdownPrivilege	5316	WMIC.exe
Token: SeUndockPrivilege	5316	WMIC.exe
Token: SeManageVolumePrivilege	5316	WMIC.exe
Token: 33	5316	WMIC.exe
Token: 34	5316	WMIC.exe
Token: 35	5316	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5316	WMIC.exe
Token: SeSecurityPrivilege	5316	WMIC.exe
Token: SeTakeOwnershipPrivilege	5316	WMIC.exe
Token: SeLoadDriverPrivilege	5316	WMIC.exe
Token: SeSystemProfilePrivilege	5316	WMIC.exe
Token: SeSystemtimePrivilege	5316	WMIC.exe
Token: SeProfSingleProcessPrivilege	5316	WMIC.exe
Token: SeIncBasePriorityPrivilege	5316	WMIC.exe
Token: SeCreatePagefilePrivilege	5316	WMIC.exe
Token: SeBackupPrivilege	5316	WMIC.exe
Token: SeRestorePrivilege	5316	WMIC.exe
Token: SeShutdownPrivilege	5316	WMIC.exe
Token: SeDebugPrivilege	5316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5316	WMIC.exe
Token: SeRemoteShutdownPrivilege	5316	WMIC.exe
Token: SeUndockPrivilege	5316	WMIC.exe
Token: SeManageVolumePrivilege	5316	WMIC.exe
Token: 33	5316	WMIC.exe
Token: 34	5316	WMIC.exe
Token: 35	5316	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6060	WMIC.exe
Token: SeSecurityPrivilege	6060	WMIC.exe
Token: SeTakeOwnershipPrivilege	6060	WMIC.exe
Token: SeLoadDriverPrivilege	6060	WMIC.exe
Token: SeSystemProfilePrivilege	6060	WMIC.exe
Token: SeSystemtimePrivilege	6060	WMIC.exe
Token: SeProfSingleProcessPrivilege	6060	WMIC.exe
Token: SeIncBasePriorityPrivilege	6060	WMIC.exe
Token: SeCreatePagefilePrivilege	6060	WMIC.exe
Token: SeBackupPrivilege	6060	WMIC.exe
Token: SeRestorePrivilege	6060	WMIC.exe
Token: SeShutdownPrivilege	6060	WMIC.exe
Token: SeDebugPrivilege	6060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6060	WMIC.exe
Token: SeRemoteShutdownPrivilege	6060	WMIC.exe
Token: SeUndockPrivilege	6060	WMIC.exe
Token: SeManageVolumePrivilege	6060	WMIC.exe
Token: 33	6060	WMIC.exe
Token: 34	6060	WMIC.exe
Token: 35	6060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6060	WMIC.exe
Token: SeSecurityPrivilege	6060	WMIC.exe
Token: SeTakeOwnershipPrivilege	6060	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe

pid	process
2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe
2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe
2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe
2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe
2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2184 wrote to memory of 5844	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 2184 wrote to memory of 5844	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 2184 wrote to memory of 5844	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 2184 wrote to memory of 5844	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 5844 wrote to memory of 5316	5844	cmd.exe	WMIC.exe
PID 5844 wrote to memory of 5316	5844	cmd.exe	WMIC.exe
PID 5844 wrote to memory of 5316	5844	cmd.exe	WMIC.exe
PID 5844 wrote to memory of 5316	5844	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 1128	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 2184 wrote to memory of 1128	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 2184 wrote to memory of 1128	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 2184 wrote to memory of 1128	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 1128 wrote to memory of 6060	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 6060	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 6060	1128	cmd.exe	WMIC.exe
PID 1128 wrote to memory of 6060	1128	cmd.exe	WMIC.exe
PID 2184 wrote to memory of 1576	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 2184 wrote to memory of 1576	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 2184 wrote to memory of 1576	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 2184 wrote to memory of 1576	2184	772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe	cmd.exe
PID 1576 wrote to memory of 3228	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 3228	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 3228	1576	cmd.exe	WMIC.exe
PID 1576 wrote to memory of 3228	1576	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe
"C:\Users\Admin\AppData\Local\Temp\772a5d183327a4506dfbf48a66293bf5fc131cba1c9361fd80187b5dfd11de2e.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic cpu get name/value
2⤵
- Suspicious use of WriteProcessMemory
PID:5844

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic Path Win32_DisplayConfiguration get DeviceName/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
2⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
3⤵
PID:3228

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2184-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2184-1-0x0000000076650000-0x0000000076697000-memory.dmp

Filesize
284KB

Download
memory/2184-506-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-503-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-504-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-508-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-510-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-512-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-520-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-522-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-518-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-516-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-514-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-524-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-526-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-548-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-560-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-528-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-530-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-534-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-532-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-564-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-562-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-558-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-556-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-554-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-552-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-550-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-546-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-544-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-542-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-540-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-538-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-536-0x0000000002660000-0x0000000002771000-memory.dmp

Filesize
1.1MB

Download
memory/2184-7791-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads