Overview

overview

8

Static

static

8

888e0940fb...04.exe

windows7_x64

8

888e0940fb...04.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    147s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

  • Size

    1.5MB

  • MD5

    d06994d9a3382a107e18b6d3e7ec9e5a

  • SHA1

    d3d8485f3b38c1f4618268aafe536ec55f973b1e

  • SHA256

    888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704

  • SHA512

    e6895e662bd51754783dd37dcd02524b1b603392953bfde984e86ee8e8a731f7940de6d7746616751d3595c854a9c53d60ffe784acf48764624074c6c1b0703a

Score
8/10
bootkitpersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
    "C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
      C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll Bugreport %E8%BD%AC%E5%8F%91%E9%87%8D%20
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\data\Bugreport.dll
    Filesize

    156KB

    MD5

    608f59eaed0cad21b19100535490969a

    SHA1

    dac5dbe7b66e815f9d3db495c0fbe23bc963f10e

    SHA256

    d28fe1e95ecb6cb263fb418c5bc6ace8e35ba0b8841a642463b094e46923e753

    SHA512

    da6a5d879a96b06c969f9964e568f657d082ac4d0986ea1d62024af81139f8ae23591608e83bae12a636acdecb307a6dcb2f45819f5a4ec483ae6083b2a06143

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini
    Filesize

    52B

    MD5

    0e7669aad8264a2a7db58860f4332e95

    SHA1

    d04c40a4b26048ffa1abba9e349500216cab57aa

    SHA256

    d3481440a0263b4d5d659ab60164d345b6326b1cebaf546a4d921f5e52004254

    SHA512

    c07292712d2246b7183332ec9ac4ea8a6205dcc0b744f180d31c417258a2cb22fbdaf0d44e0a35c6106ccb8f29efed2964d6a00212c029ffc9356ad23e51ee12

    Download Submit
  • \Users\Admin\AppData\Local\Temp\data\Bugreport.dll
    Filesize

    156KB

    MD5

    608f59eaed0cad21b19100535490969a

    SHA1

    dac5dbe7b66e815f9d3db495c0fbe23bc963f10e

    SHA256

    d28fe1e95ecb6cb263fb418c5bc6ace8e35ba0b8841a642463b094e46923e753

    SHA512

    da6a5d879a96b06c969f9964e568f657d082ac4d0986ea1d62024af81139f8ae23591608e83bae12a636acdecb307a6dcb2f45819f5a4ec483ae6083b2a06143

    Download Submit
  • \Users\Admin\AppData\Local\Temp\data\Bugreport.dll
    Filesize

    156KB

    MD5

    608f59eaed0cad21b19100535490969a

    SHA1

    dac5dbe7b66e815f9d3db495c0fbe23bc963f10e

    SHA256

    d28fe1e95ecb6cb263fb418c5bc6ace8e35ba0b8841a642463b094e46923e753

    SHA512

    da6a5d879a96b06c969f9964e568f657d082ac4d0986ea1d62024af81139f8ae23591608e83bae12a636acdecb307a6dcb2f45819f5a4ec483ae6083b2a06143

    Download Submit
  • memory/1672-54-0x00000000763C1000-0x00000000763C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1672-55-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1672-56-0x0000000002B20000-0x0000000002B92000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1672-63-0x0000000006CA0000-0x0000000006CD6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1940-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1940-62-0x0000000000400000-0x0000000000436000-memory.dmp
    Filesize

    216KB

    Download