b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c

General

Target

b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
Size

7.4MB
MD5

f735430d105d35870bddaebeb004f0ef
SHA1

5b56d9811bc3362aa67eff795229875af70ba679
SHA256

b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c
SHA512

4933a6da0a0dd51dd1c741885acb1b1e57bcea13611dbb8f92fd1913604d4495546b5d0105eac2aec78d56608716c1e51f0daaf6f10f0e376e7df52501daeb62
SSDEEP

98304:4UsE3yp0JsiaQ2HQbPD3mlZ3HYsn+uMfpByzriBkDOHOkOPD6woUMBXfRErb+:H3y+Dv2HQIvnt2zusw1MNfU+

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\etc\hosts	12.05.exe
File created	C:\Windows\system32\Drivers\etc\lmhosts.sam	12.05.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	12.05.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
File opened for modification	\??\PhysicalDrive0	12.05.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2216	12.05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2944	2216	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12.05.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
Token: SeDebugPrivilege	2216	12.05.exe
Token: SeDebugPrivilege	2216	12.05.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe
2216	12.05.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2216	2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe	91
PID 2504 wrote to memory of 2216	2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe	91
PID 2504 wrote to memory of 2216	2504	b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe	91

C:\Users\Admin\AppData\Local\Temp\b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe
"C:\Users\Admin\AppData\Local\Temp\b96db23676e660491277ae4e9a63f9bc4faf327f04dfc5d952638e1faa13400c.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\Documents\12.05.exe
  "C:\Users\Admin\Documents\12.05.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1472
    3⤵
    - Program crash
    PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2216 -ip 2216
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\12.05.exe

Filesize
7.4MB

MD5
2fbba00d3f7acf55ce45a29c2f9513a6

SHA1
d41f10cca96bbea90033b071f48a9e78900277f0

SHA256
4ca9eb9b1e5c969a6e53003095e9a1ab56b68d379304009195cca7b1e1f06597

SHA512
b4bba17afe443cdfe98b93be5fe95f83947257b768ec2fb0d60ad20aaacb200ef4c69c78199bcc268a8d2be44f2d3e39afd5d3ae65fb0fe96e780a9966b31f7b

Download Submit
C:\Users\Admin\Documents\38afe80f

Filesize
318B

MD5
ad64af2ac971d318b3cc6e04895e55ac

SHA1
04785e27b771a4183db32da9f9abd57e38046b55

SHA256
1987f959e76e916cc219494546b8e7d3383b23a9325b98665fe126e9f9c5a447

SHA512
84c4bf3e9b4e82c9c081fb80265e0acf35032df1149a4546d4c38c8f52d4dbe505351a8798feaf356ac14ca2930084cea9dd75fd4d365a60d92361a75c4a5352

Download Submit
memory/2216-25-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2216-22-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2216-40-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2216-27-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2216-29-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2216-26-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2216-24-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2504-7-0x0000000000401000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2504-23-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2504-1-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2504-0-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2504-8-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2504-3-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2504-6-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2504-2-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/2504-4-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads