c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314

General

Target

c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe
Size

5.4MB
MD5

dd98b518fea2e5ee3d647c58de77a965
SHA1

d645292b2c6d02ac715b7eb2496c8b38d205cd46
SHA256

c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314
SHA512

39f574904e5e84846b3b7b97c54ea105c3b26e73b9b03ce03e79c1403b749536ed164ddd30b703160ce2ffc767206b497357547ae506e4566dc5575575ad81dd
SSDEEP

49152:TEY29Y/CdTDAUAif7Tp8fYejClDvN5++b+wr9sP7gINSGXjN5viey7ejWGo:4dl3AQnp8gi43+Sn9sT3LNXySCB

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
4	drive.google.com
7	drive.google.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

pid	Process
2428	c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe
2428	c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

pid	Process
2428	c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

description	pid	Process
Token: SeDebugPrivilege	2428	c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

pid	Process
2428	c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations	c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes = ".exe;.bat;.cmd;.vbs"	c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe

C:\Users\Admin\AppData\Local\Temp\c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe
"C:\Users\Admin\AppData\Local\Temp\c0d03d0e971770f8edfee25f10c26eddc0e53d3525e7f1e4f96b0c8f04241314.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x0000000000A40000-0x0000000000FAA000-memory.dmp

Filesize
5.4MB

Download
memory/2428-2-0x0000000000390000-0x00000000003C8000-memory.dmp

Filesize
224KB

Download
memory/2428-3-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-4-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-5-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-6-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-9-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2428-7-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2428-42-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2428-40-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2428-38-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2428-36-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2428-46-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2428-44-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2428-48-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-128-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/2428-142-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-165-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-176-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads