a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1

General

Target

a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe
Size

2.4MB
MD5

264061c4dc3c4a649515473b1b8c90b0
SHA1

c15094f97ba16c611054d85c6aaa1962a07ebc12
SHA256

a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1
SHA512

6291dea4d5be9f00e34b3bcf0bafa574abb0f6ac17c1a0e6d9cffbf0e04cdfbab16f2cf47f1fe6707b113583da99388c96a0de6360703a9e8d5e8e6c5aede88b
SSDEEP

49152:JoNgRf9tTkvqHWzKVcBd6o6nt2rK09G4lyo0ZacSiLUswRI/CIJK:J+Qf7cqA0bt2rK09cohiLUbQJJK

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe

description ioc process

File opened for modification \??\PhysicalDrive0 a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe

pid	process
2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe
2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe
Token: SeIncreaseQuotaPrivilege	7560	WMIC.exe
Token: SeSecurityPrivilege	7560	WMIC.exe
Token: SeTakeOwnershipPrivilege	7560	WMIC.exe
Token: SeLoadDriverPrivilege	7560	WMIC.exe
Token: SeSystemProfilePrivilege	7560	WMIC.exe
Token: SeSystemtimePrivilege	7560	WMIC.exe
Token: SeProfSingleProcessPrivilege	7560	WMIC.exe
Token: SeIncBasePriorityPrivilege	7560	WMIC.exe
Token: SeCreatePagefilePrivilege	7560	WMIC.exe
Token: SeBackupPrivilege	7560	WMIC.exe
Token: SeRestorePrivilege	7560	WMIC.exe
Token: SeShutdownPrivilege	7560	WMIC.exe
Token: SeDebugPrivilege	7560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7560	WMIC.exe
Token: SeRemoteShutdownPrivilege	7560	WMIC.exe
Token: SeUndockPrivilege	7560	WMIC.exe
Token: SeManageVolumePrivilege	7560	WMIC.exe
Token: 33	7560	WMIC.exe
Token: 34	7560	WMIC.exe
Token: 35	7560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7560	WMIC.exe
Token: SeSecurityPrivilege	7560	WMIC.exe
Token: SeTakeOwnershipPrivilege	7560	WMIC.exe
Token: SeLoadDriverPrivilege	7560	WMIC.exe
Token: SeSystemProfilePrivilege	7560	WMIC.exe
Token: SeSystemtimePrivilege	7560	WMIC.exe
Token: SeProfSingleProcessPrivilege	7560	WMIC.exe
Token: SeIncBasePriorityPrivilege	7560	WMIC.exe
Token: SeCreatePagefilePrivilege	7560	WMIC.exe
Token: SeBackupPrivilege	7560	WMIC.exe
Token: SeRestorePrivilege	7560	WMIC.exe
Token: SeShutdownPrivilege	7560	WMIC.exe
Token: SeDebugPrivilege	7560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7560	WMIC.exe
Token: SeRemoteShutdownPrivilege	7560	WMIC.exe
Token: SeUndockPrivilege	7560	WMIC.exe
Token: SeManageVolumePrivilege	7560	WMIC.exe
Token: 33	7560	WMIC.exe
Token: 34	7560	WMIC.exe
Token: 35	7560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7760	WMIC.exe
Token: SeSecurityPrivilege	7760	WMIC.exe
Token: SeTakeOwnershipPrivilege	7760	WMIC.exe
Token: SeLoadDriverPrivilege	7760	WMIC.exe
Token: SeSystemProfilePrivilege	7760	WMIC.exe
Token: SeSystemtimePrivilege	7760	WMIC.exe
Token: SeProfSingleProcessPrivilege	7760	WMIC.exe
Token: SeIncBasePriorityPrivilege	7760	WMIC.exe
Token: SeCreatePagefilePrivilege	7760	WMIC.exe
Token: SeBackupPrivilege	7760	WMIC.exe
Token: SeRestorePrivilege	7760	WMIC.exe
Token: SeShutdownPrivilege	7760	WMIC.exe
Token: SeDebugPrivilege	7760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7760	WMIC.exe
Token: SeRemoteShutdownPrivilege	7760	WMIC.exe
Token: SeUndockPrivilege	7760	WMIC.exe
Token: SeManageVolumePrivilege	7760	WMIC.exe
Token: 33	7760	WMIC.exe
Token: 34	7760	WMIC.exe
Token: 35	7760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7760	WMIC.exe
Token: SeSecurityPrivilege	7760	WMIC.exe
Token: SeTakeOwnershipPrivilege	7760	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe

pid	process
2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe
2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe
2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe
2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe
2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2180 wrote to memory of 7536	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 2180 wrote to memory of 7536	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 2180 wrote to memory of 7536	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 2180 wrote to memory of 7536	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 7536 wrote to memory of 7560	7536	cmd.exe	WMIC.exe
PID 7536 wrote to memory of 7560	7536	cmd.exe	WMIC.exe
PID 7536 wrote to memory of 7560	7536	cmd.exe	WMIC.exe
PID 7536 wrote to memory of 7560	7536	cmd.exe	WMIC.exe
PID 2180 wrote to memory of 7732	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 2180 wrote to memory of 7732	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 2180 wrote to memory of 7732	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 2180 wrote to memory of 7732	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 7732 wrote to memory of 7760	7732	cmd.exe	WMIC.exe
PID 7732 wrote to memory of 7760	7732	cmd.exe	WMIC.exe
PID 7732 wrote to memory of 7760	7732	cmd.exe	WMIC.exe
PID 7732 wrote to memory of 7760	7732	cmd.exe	WMIC.exe
PID 2180 wrote to memory of 7796	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 2180 wrote to memory of 7796	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 2180 wrote to memory of 7796	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 2180 wrote to memory of 7796	2180	a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe	cmd.exe
PID 7796 wrote to memory of 7820	7796	cmd.exe	WMIC.exe
PID 7796 wrote to memory of 7820	7796	cmd.exe	WMIC.exe
PID 7796 wrote to memory of 7820	7796	cmd.exe	WMIC.exe
PID 7796 wrote to memory of 7820	7796	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe
"C:\Users\Admin\AppData\Local\Temp\a7ac01dcdb49f4e99bf375fc58f4c15d97b454358ae9dd0f734079c9f61395d1.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic cpu get name/value
2⤵
- Suspicious use of WriteProcessMemory
PID:7536

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
2⤵
- Suspicious use of WriteProcessMemory
PID:7732

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic Path Win32_DisplayConfiguration get DeviceName/value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
2⤵
- Suspicious use of WriteProcessMemory
PID:7796

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic COMPUTERSYSTEM get TotalPhysicalMemory/value
3⤵
PID:7820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2180-1-0x00000000752E0000-0x0000000075327000-memory.dmp

Filesize
284KB

Download
memory/2180-503-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-504-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-506-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-508-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-510-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-518-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-516-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-514-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-512-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-520-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-522-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-536-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-524-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-528-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-530-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-534-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-538-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-564-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-562-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-560-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-558-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-556-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-554-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-552-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-551-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-548-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-546-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-544-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-542-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-540-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-532-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-526-0x00000000027A0000-0x00000000028B1000-memory.dmp

Filesize
1.1MB

Download
memory/2180-7791-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads