9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610

General

Target

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
Size

1.8MB
MD5

7d0feed35f03c2ffefc8736652d24a11
SHA1

f30eadea0c0f1dfcaebf7689f9c2a655d5aa8bdd
SHA256

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610
SHA512

51094cad122cf48fa5cbb92e3c78131a16fa29821b23b70ebf8e81a1d57ef22ed7ffc4e3460ae9e81fdc7ff20e9f27645cf3f62ee64f794eae76ff17a9be58af

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fracturesl.exe7654pb.exe7654llqtips.exe

pid process

508 fracturesl.exe
824 7654pb.exe
1004 7654llqtips.exe

pid	process
508	fracturesl.exe
824	7654pb.exe
1004	7654llqtips.exe

Loads dropped DLL 3 IoCs

Processes:

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe

pid	process
1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

fracturesl.exe

description ioc process

File opened for modification C:\Users\Admin\Desktop\desktop.ini fracturesl.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fracturesl.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exefracturesl.exe7654pb.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
File opened for modification	\??\PhysicalDrive0	fracturesl.exe
File opened for modification	\??\PhysicalDrive0	7654pb.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

fracturesl.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com\ = "63"	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com\Total = "63"	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com\NumberOfSubdomains = "1"	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\fracturesl.exe = "11000"	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage	fracturesl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	fracturesl.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	fracturesl.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exefracturesl.exe7654pb.exe

pid	process
1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
508	fracturesl.exe
508	fracturesl.exe
824	7654pb.exe
824	7654pb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fracturesl.exe

pid process

508 fracturesl.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

fracturesl.exe

pid process

508 fracturesl.exe
508 fracturesl.exe
508 fracturesl.exe
508 fracturesl.exe
508 fracturesl.exe
508 fracturesl.exe
508 fracturesl.exe

pid	process
508	fracturesl.exe

pid	process
508	fracturesl.exe
508	fracturesl.exe
508	fracturesl.exe
508	fracturesl.exe
508	fracturesl.exe
508	fracturesl.exe
508	fracturesl.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe

description	pid	process	target process
PID 1944 wrote to memory of 508	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	fracturesl.exe
PID 1944 wrote to memory of 508	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	fracturesl.exe
PID 1944 wrote to memory of 508	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	fracturesl.exe
PID 1944 wrote to memory of 508	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	fracturesl.exe
PID 1944 wrote to memory of 824	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654pb.exe
PID 1944 wrote to memory of 824	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654pb.exe
PID 1944 wrote to memory of 824	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654pb.exe
PID 1944 wrote to memory of 824	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654pb.exe
PID 1944 wrote to memory of 1004	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654llqtips.exe
PID 1944 wrote to memory of 1004	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654llqtips.exe
PID 1944 wrote to memory of 1004	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654llqtips.exe
PID 1944 wrote to memory of 1004	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654llqtips.exe
PID 1944 wrote to memory of 1004	1944	9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe	7654llqtips.exe

C:\Users\Admin\AppData\Local\Temp\9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe
"C:\Users\Admin\AppData\Local\Temp\9bb8ca69a0118ba479292d3df9c99bb82d47263513be3d7ec3f78a134d6fa610.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\blossloms\fracturesl.exe
C:\Users\Admin\AppData\Local\blossloms\fracturesl.exe LXByb2plY3Q9NzY1NEJyb3dzZXIgLWtpbGxwcm9jZXNzPTYwIC1lbmFibGVob21lcGFnZXJhbmQ9MSAtT3B0aW1pemU9MjAgLURpc3BsYXlUaXRsZT03NjU0QnJvd3NlciAtd3JpdGV0Y2s9TGl2ZVVwZGF0ZTM2MCw2MzIgLXVzZXNzcG1vZGU9dHJ1ZSAtVG9wVXJsPWh0dHA6Ly9kb3duMS43NjU0YnJvd3Nlci52ZnB6bWcuY24vdHVpL21pbmluZXdzL21pbmluZXdzcGx1cy9mZnpkci5wbmcgLUFudGlNYWxpY2lvdXNDbGljaz02MC81MDAgLXBiY3V0dGl0bGVuZXdzID0tMSAtcHA9OTA3ODg2OTQ2NzQ1Y2Y1NGIwZmQyMjMyMDY5MDEyNWYgLXNob3dXZWF0aGVyPWZhbHNlIC1hbGlnbj10b3AgLWNhcHRpb25jb2xvcj0jRkZGRkZGIC1TaG93Q2xvc2VNZW51PTEgLU1heFdlYkNsaWNrQ291bnQ9MiAtQ2xhc3NOYW1lPVNvUFlfU3RhdHVzIC1UaXRsZT1maXJlZmx5ZSAtU3VwcG9ydDc2NTRCcm93c2VyPXRydWUgLU11dGV4TmFtZT1DOUNENEYzNS00QUQ2LTQ1ZDMtOEEwRS1BQzIxMUVCMUQxM0UgLUlFOVVSTD1odHRwOi8vbmV3cy43NjU0LmNvbS9taW5pX25ldzQvMDYxMy8/cWlkPSZ1aWQ9QUVFNTRCQzBDODYyQ0Y3NzRBRkY4QThFRjdEOUU5OEQmZW52PTAmc2NyZWVuX2g9NzIwIC1VUkw9aHR0cDovL25ld3MuNzY1NC5jb20vbWluaV9uZXc0LzA2MTMvP3FpZD0mdWlkPUFFRTU0QkMwQzg2MkNGNzc0QUZGOEE4RUY3RDlFOThEJmVudj0wJnNjcmVlbl9oPTcyMCAtcmVwb3J0cHJlZml4PW1pbmluZXdzLTEgLXRhc2tpZD10YXNraWQubWluaW5ld3NwbHVzXzE=
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:508

C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe
C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe --data=hask7934iRAC6NbcRTWMj3DWbr54mdExgJZB7kSf5DhUz322DF3ik/KUeq0KE9imDLRM9e5NgAtKDVDOAql69QaljVA867zpeak4eS6Qr9Yi+vKSksdAxIHtmekp+sopSyJ+Rzp/5QjTBiKbl9Q9dJhbeUJHoAzPOmkrgCPc+V93VryAwmwg1tRLLvqFv5Ob
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Users\Admin\AppData\Roaming\7654liulanqi\7654liulanqitips\7654llqtips.exe
C:\Users\Admin\AppData\Roaming\7654liulanqi\7654liulanqitips\7654llqtips.exe rGn1j5KACJfmMot8Q2oOt6EelyZu5tKIx6sPdB2VAeWTzYcKAbfWFVdugO39vqCw2X65X1+0tV8TCUu2Y566hIcNubqqRFpXymAg+Y2edLU057yYGH1/Z9wcZHwwzw0AS7vXfM5x2+BefnIl0odELOE5DftDJPizPIlYh/c8uNgbq6qk3mTfGrxbyCX/v3uU5hneixCdbcvK4+I/ykP4Qx5d/jVyt0E5Vikngy+CkeRYQ3Kq5WyfCdOnknSo6Mw0g7uwSUIFcKmf6psqNSPec1b5yHwPLe6IFGWvOquf50/vUfqMC/VLitaLpOoJXvkcoYPyuRn1HWsj3FjsF2Rqs6qrIAj/64tgfPULUMrN9c2kkc0JPOzyTWg99gKiRDtwC7bNF1fOM76G3qmenwrI5QSJfT/sl/Tx87LioquB1c+lmT25iWSscLPGQnHmoCLgEhQ6Nnuyi5d6egfFgOLccDlP5jUBdrnks/yvKLKyM6qoljZz8N+XfqNf63OWuv6m4qYbXgEoUbWuQg6lAGTZXfqLHb1xayBOQ3yOPP7hMOhXyK9J0Tm3XHaAWOM9vTrS0zE3dDPfxurGcYeWUBk60Ucxgryw0UnPf6gm1OJjzC9jruJ4TVdYYp5nQ+xamzHKGZGClxNHO5KCH9AYWi8+Tp82RSWea08sMbZ0YT15MkfTDLezAAD6v9VtImTWpY8ZkJYZ3CKq3xnkI2cxM4aSjRPzxJsAS+w0lp1iDTrTBWsJlgtmB+6ZM+0XJCilUIewofAM+L09TfHj2v/iCYgogrpRuSwFeEbMdCNNDqAmXcJNWGWFpid4KAg7vkQkTAzL0wFEgek20lxP42BvlEEyWJ4M5mrMk0m0zBvbKvRdjjdPBHWnqskUZESngPypk9XpzcMXxcfTdsxd0duRGtmu8/c9erNqwml9nGZ8YQ8OhJaG/zTmJ+6ik2UNp6n3WSNY1oxBebvuzdPwCPSsMv0bq/z3tpO3YEjn3xsIcWzVMuK/9c8fPlCYL4Yv0YEGWb+dBWeMzg3t1/+O/SE+AB97fEm0mJVnBVmghZCvZHEGXfmJAPhmAihUumgPIlxJ51MiikIpGA==
2⤵
- Executes dropped EXE
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\blossloms\fracturesl.exe
Filesize
1.5MB

MD5
e1f215f7b53277de8efeb6d88b144aad

SHA1
e92654ace0eb71664c1698f2e04b599e2d7f5b22

SHA256
2c80651ce58b0e446ee9047ff06a77f1d6a1c727e937981a7c635ab2e078e2b3

SHA512
e544d2afba86788b930715e096f3441313ef079d75ea2503487b1ee52668d5c28c79c66b5ebf95cf4730549a090c6990bcbeca28035b42442efd65d0cd125498

Download Submit
C:\Users\Admin\AppData\Local\blossloms\fracturesl.exe
Filesize
1.5MB

MD5
e1f215f7b53277de8efeb6d88b144aad

SHA1
e92654ace0eb71664c1698f2e04b599e2d7f5b22

SHA256
2c80651ce58b0e446ee9047ff06a77f1d6a1c727e937981a7c635ab2e078e2b3

SHA512
e544d2afba86788b930715e096f3441313ef079d75ea2503487b1ee52668d5c28c79c66b5ebf95cf4730549a090c6990bcbeca28035b42442efd65d0cd125498

Download Submit
C:\Users\Admin\AppData\Roaming\7654liulanqi\7654liulanqitips\7654llqtips.exe
Filesize
2.4MB

MD5
0ec9bddf2ae990fcb715eaf4d4b94777

SHA1
127fc97bee3c38b778e8abb118925b51089a3978

SHA256
6d758a450dcbf2271b56ab16a2d4514b47121f952e8569386ee5afba2c5fbc52

SHA512
82f934d62de1a4f58f8c64a0857669b90e5387bfcf95c0c9215361a36f687cafafca68b9f7ed057fd88c3ef841794b3642acfdee2ccecb59f365109e83686517

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe
Filesize
7.0MB

MD5
8fd9024f9c9aeb150b7256f7486b1657

SHA1
b5310c2a8a218327a7f91c68e15c5b46281c83ca

SHA256
4a0e22b131715602122232ac4061d1e03bb283a78225e9fe5aed9a699cb7df85

SHA512
b276535c47202906fc2e1a3b3ae342960a0c8178996a0688fd5d23e88c04140ed80f14bfd6850fb386ee1b086744ac33b1ebbba26d85953e17db885eac0e30bc

Download Submit
C:\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe
Filesize
7.0MB

MD5
8fd9024f9c9aeb150b7256f7486b1657

SHA1
b5310c2a8a218327a7f91c68e15c5b46281c83ca

SHA256
4a0e22b131715602122232ac4061d1e03bb283a78225e9fe5aed9a699cb7df85

SHA512
b276535c47202906fc2e1a3b3ae342960a0c8178996a0688fd5d23e88c04140ed80f14bfd6850fb386ee1b086744ac33b1ebbba26d85953e17db885eac0e30bc

Download Submit
\Users\Admin\AppData\Local\blossloms\fracturesl.exe
Filesize
1.5MB

MD5
e1f215f7b53277de8efeb6d88b144aad

SHA1
e92654ace0eb71664c1698f2e04b599e2d7f5b22

SHA256
2c80651ce58b0e446ee9047ff06a77f1d6a1c727e937981a7c635ab2e078e2b3

SHA512
e544d2afba86788b930715e096f3441313ef079d75ea2503487b1ee52668d5c28c79c66b5ebf95cf4730549a090c6990bcbeca28035b42442efd65d0cd125498

Download Submit
\Users\Admin\AppData\Roaming\7654liulanqi\7654liulanqitips\7654llqtips.exe
Filesize
2.4MB

MD5
0ec9bddf2ae990fcb715eaf4d4b94777

SHA1
127fc97bee3c38b778e8abb118925b51089a3978

SHA256
6d758a450dcbf2271b56ab16a2d4514b47121f952e8569386ee5afba2c5fbc52

SHA512
82f934d62de1a4f58f8c64a0857669b90e5387bfcf95c0c9215361a36f687cafafca68b9f7ed057fd88c3ef841794b3642acfdee2ccecb59f365109e83686517

Download Submit
\Users\Admin\AppData\Roaming\Roaming\7654llq\7654llqpb\7654pb.exe
Filesize
7.0MB

MD5
8fd9024f9c9aeb150b7256f7486b1657

SHA1
b5310c2a8a218327a7f91c68e15c5b46281c83ca

SHA256
4a0e22b131715602122232ac4061d1e03bb283a78225e9fe5aed9a699cb7df85

SHA512
b276535c47202906fc2e1a3b3ae342960a0c8178996a0688fd5d23e88c04140ed80f14bfd6850fb386ee1b086744ac33b1ebbba26d85953e17db885eac0e30bc

Download Submit
memory/508-67-0x0000000000000000-mapping.dmp

Download
memory/508-71-0x0000000010000000-0x0000000010102000-memory.dmp

Filesize
1.0MB

Download
memory/824-75-0x0000000000000000-mapping.dmp

Download
memory/1004-82-0x0000000000390000-0x00000000005E7000-memory.dmp

Filesize
2.3MB

Download
memory/1004-84-0x0000000000000000-mapping.dmp

Download
memory/1004-86-0x0000000010000000-0x0000000010260000-memory.dmp

Filesize
2.4MB

Download
memory/1004-89-0x0000000000390000-0x00000000005E7000-memory.dmp

Filesize
2.3MB

Download
memory/1944-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1944-60-0x0000000003350000-0x000000000355C000-memory.dmp

Filesize
2.0MB

Download
memory/1944-55-0x0000000010000000-0x0000000010198000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads