b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c

General

Target

b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
Size

7.4MB
MD5

f735430d105d35870bddaebeb004f0ef
SHA1

5b56d9811bc3362aa67eff795229875af70ba679
SHA256

b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c
SHA512

4933a6da0a0dd51dd1c741885acb1b1e57bcea13611dbb8f92fd1913604d4495546b5d0105eac2aec78d56608716c1e51f0daaf6f10f0e376e7df52501daeb62
SSDEEP

98304:4UsE3yp0JsiaQ2HQbPD3mlZ3HYsn+uMfpByzriBkDOHOkOPD6woUMBXfRErb+:H3y+Dv2HQIvnt2zusw1MNfU+

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\etc\hosts	12.05.exe
File created	C:\Windows\system32\Drivers\etc\lmhosts.sam	12.05.exe

Executes dropped EXE 1 IoCs

pid	Process
2204	12.05.exe

Loads dropped DLL 4 IoCs

pid	Process
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
File opened for modification	\??\PhysicalDrive0	12.05.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2204	12.05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	2204	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12.05.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
Token: SeDebugPrivilege	2204	12.05.exe
Token: SeDebugPrivilege	2204	12.05.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe
2204	12.05.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2204	1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe	31
PID 1980 wrote to memory of 2204	1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe	31
PID 1980 wrote to memory of 2204	1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe	31
PID 1980 wrote to memory of 2204	1980	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe	31
PID 2204 wrote to memory of 2720	2204	12.05.exe	32
PID 2204 wrote to memory of 2720	2204	12.05.exe	32
PID 2204 wrote to memory of 2720	2204	12.05.exe	32
PID 2204 wrote to memory of 2720	2204	12.05.exe	32

C:\Users\Admin\AppData\Local\Temp\b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
"C:\Users\Admin\AppData\Local\Temp\b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\Documents\12.05.exe
  "C:\Users\Admin\Documents\12.05.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 924
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\38afe80f

Filesize
318B

MD5
f6826b4a0be52ce01420fc6ba00f8bf6

SHA1
54c9371e1c0ddd970b9897a5e7dbc82d51584007

SHA256
6935bfd6a674f47481c4cfc3ae2bcf3588eb1fbb9b79f434e85281b5b8ab51f8

SHA512
ff06a8f5c02ce6ea4f9dfed3ef331e763ea859fb5fe1d9c9c115b343b1745f13a6b24d8b6b4f3de5eb79540fd5fb4701eaa5ab939398e7fcc1475d5438e275b8

Download Submit
\Users\Admin\Documents\12.05.exe

Filesize
7.4MB

MD5
bef6f8487d700fabea7a8116d89cee10

SHA1
47b4de0be6c61a9f370b1d496108551567f9871c

SHA256
373d3bd04068a3dc884b32976e70c0d93649865972329afc9876ce22ab95a724

SHA512
07314affeb87f68d6eab782888702a04accf6d80ace79dd72e3eb2cc6f80f022455c288afcfc4b2a56ffdc9adec63b514196b7be2990fef8bba1988f197cc6d0

Download Submit
memory/1980-4-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/1980-22-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/1980-0-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/1980-6-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/1980-7-0x0000000000401000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1980-8-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1980-1-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/1980-20-0x0000000004F10000-0x0000000005904000-memory.dmp

Filesize
10.0MB

Download
memory/1980-2-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/1980-3-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2204-25-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2204-24-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2204-28-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2204-26-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2204-23-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2204-21-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2204-42-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads