9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839

General

Target

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Size

1.2MB
MD5

a8d64976f43e58181bf6e137081946cc
SHA1

0c4cb5259ca542b73adbde8f97f7b602a226635f
SHA256

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839
SHA512

db0c99ed5507081761195029e821172b25e4a79e72479400b6ab7d13b84c253920a79930d794132bc8732d7813b208e3fa03aa88c5eafc2d2c3b675516009b04

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exeBugreport-328066.dll

pid process

1220 9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1840 Bugreport-328066.dll

pid	process
1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1840	Bugreport-328066.dll

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3420-130-0x00000000027C0000-0x0000000002832000-memory.dmp	upx
behavioral2/memory/3420-131-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-135-0x00000000027C0000-0x0000000002832000-memory.dmp	upx
behavioral2/memory/3420-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3420-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe	upx
behavioral2/memory/1220-177-0x0000000010000000-0x000000001003F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe	upx
behavioral2/memory/1220-179-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-180-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-183-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-185-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-187-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-189-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-191-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-193-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-195-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-197-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1220-223-0x0000000002720000-0x0000000002792000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

description ioc process

File opened for modification \??\PhysicalDrive0 9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe = "11001"	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe = "1"	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\International\CpMRU	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

pid	process
3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

pid	process
3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exeBugreport-328066.dll

pid	process
3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
1840	Bugreport-328066.dll

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe

description	pid	process	target process
PID 3420 wrote to memory of 1220	3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
PID 3420 wrote to memory of 1220	3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
PID 3420 wrote to memory of 1220	3420	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
PID 1220 wrote to memory of 1840	1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe	Bugreport-328066.dll
PID 1220 wrote to memory of 1840	1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe	Bugreport-328066.dll
PID 1220 wrote to memory of 1840	1220	9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe	Bugreport-328066.dll

C:\Users\Admin\AppData\Local\Temp\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
"C:\Users\Admin\AppData\Local\Temp\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe"
1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
"C:\Users\Admin\AppData\Local\Temp\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe" ÃüÁîÆô¶¯
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-328066.dll
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-328066.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E9%99%8C%E7%94%9F%E7%A9%BA%E9%97%B4%E7%95%99%E7%97%95%E8%B5%9E%20
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Filesize
1.3MB

MD5
f298553bf1d92ae531845d4db826b017

SHA1
991ee68cbb583aea47fc8c4ebf7d761cb288adba

SHA256
546ced7ac4ad4f3e4672ccbc73f03b70de03da95131fa96d5e151f1d9740a6b1

SHA512
a54aba9e35f323f1a8e6783e11faeffed61985c628a76f6d4acbf0dbfb0de3118e80626b13e8e5138fad4ee3fbaf31d8d9fe8b2a8234d1cc17393dcaca677741

Download Submit
C:\Users\Admin\AppData\Local\Temp\9afc1339d73fdebc98795cb32f498081a415b20fb10b7b76c491d2fb38133839.exe
Filesize
1.3MB

MD5
f298553bf1d92ae531845d4db826b017

SHA1
991ee68cbb583aea47fc8c4ebf7d761cb288adba

SHA256
546ced7ac4ad4f3e4672ccbc73f03b70de03da95131fa96d5e151f1d9740a6b1

SHA512
a54aba9e35f323f1a8e6783e11faeffed61985c628a76f6d4acbf0dbfb0de3118e80626b13e8e5138fad4ee3fbaf31d8d9fe8b2a8234d1cc17393dcaca677741

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-328066.dll
Filesize
164KB

MD5
0f72c64162407b3bbd2f2dcc78d53580

SHA1
6bf9118bcb707b4e7d71dd3057d123ebe245e2fc

SHA256
0ce6175baa2e91fc57c54c2eea9548c3c68c0f5b8a033938a0a4f5c0ebaab795

SHA512
7d8ff001e2f1b880cff111045cf17e9526b649eda50eaed332933dfbadd91510493c82d52ce8c8cbbb7e630973baacfb06fe48843c048b3037d0bc6734e7935f

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-328066.dll
Filesize
164KB

MD5
0f72c64162407b3bbd2f2dcc78d53580

SHA1
6bf9118bcb707b4e7d71dd3057d123ebe245e2fc

SHA256
0ce6175baa2e91fc57c54c2eea9548c3c68c0f5b8a033938a0a4f5c0ebaab795

SHA512
7d8ff001e2f1b880cff111045cf17e9526b649eda50eaed332933dfbadd91510493c82d52ce8c8cbbb7e630973baacfb06fe48843c048b3037d0bc6734e7935f

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini
Filesize
113B

MD5
4e03b66adb8dad2be05e132eb17363e3

SHA1
404f94fe14723ea2122a5384d06d0796b50ed64b

SHA256
cc3c87d4cd9a993117c95dc6b2a1693f8b643d72318ffcad24d5d10fb646cc9a

SHA512
3aba5507e7d7d9d17333eb59bbf16626fec8b0d2710bed37b5aaf6e95abc89285fba889fce3b82b8e0e4ba2239d8a349b7645579288803ceabb8de051ffc5e6b

Download Submit
memory/1220-180-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-187-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-197-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-195-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-193-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-191-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-189-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-223-0x0000000002720000-0x0000000002792000-memory.dmp

Filesize
456KB

Download
memory/1220-185-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-183-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-175-0x0000000000000000-mapping.dmp

Download
memory/1220-179-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1220-177-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1840-224-0x0000000000000000-mapping.dmp

Download
memory/1840-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3420-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-130-0x00000000027C0000-0x0000000002832000-memory.dmp

Filesize
456KB

Download
memory/3420-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-135-0x00000000027C0000-0x0000000002832000-memory.dmp

Filesize
456KB

Download
memory/3420-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3420-131-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads