dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a

General

Target

dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe
Size

10.0MB
MD5

1f58ab9592fd399a1636c98a842f8ffb
SHA1

4e47129ebd8fb2f07163a6548a5d93d1183e6ee4
SHA256

dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a
SHA512

71a12e650820e9bcb2548cf3450663af81931e039542f60ad1b9ea9c41a0c5f2e91ae3ccc0a8e7fc087887fe041f8579355a1f865cca68b03d544f05d653edd5
SSDEEP

196608:TB3dTQozppoKpov5+9c3ekByrCpU+sb9d++kdDk5OJPfmZ:T7QozTBp05SDkHUzfvYfmZ

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe
1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2772	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe
1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe
1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2804	1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe	28
PID 1932 wrote to memory of 2804	1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe	28
PID 1932 wrote to memory of 2804	1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe	28
PID 1932 wrote to memory of 2804	1932	dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe	28
PID 2804 wrote to memory of 2772	2804	cmd.exe	30
PID 2804 wrote to memory of 2772	2804	cmd.exe	30
PID 2804 wrote to memory of 2772	2804	cmd.exe	30
PID 2804 wrote to memory of 2772	2804	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe
"C:\Users\Admin\AppData\Local\Temp\dd6c752530d44fec544b8c3212ad9f7675bfb0b572bd619419337a31ff283c6a.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c systeminfo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-0-0x0000000000400000-0x00000000015D9000-memory.dmp

Filesize
17.8MB

Download
memory/1932-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1932-36-0x00000000007A3000-0x0000000000BD9000-memory.dmp

Filesize
4.2MB

Download
memory/1932-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1932-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1932-28-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1932-25-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1932-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1932-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1932-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1932-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1932-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1932-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1932-10-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1932-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1932-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1932-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1932-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1932-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1932-38-0x0000000000400000-0x00000000015D9000-memory.dmp

Filesize
17.8MB

Download
memory/1932-42-0x0000000000400000-0x00000000015D9000-memory.dmp

Filesize
17.8MB

Download
memory/1932-43-0x00000000007A3000-0x0000000000BD9000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads