888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704

General

Target

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Size

1.5MB
MD5

d06994d9a3382a107e18b6d3e7ec9e5a
SHA1

d3d8485f3b38c1f4618268aafe536ec55f973b1e
SHA256

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704
SHA512

e6895e662bd51754783dd37dcd02524b1b603392953bfde984e86ee8e8a731f7940de6d7746616751d3595c854a9c53d60ffe784acf48764624074c6c1b0703a

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exeBugreport-524770.dll

pid process

4500 888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4820 Bugreport-524770.dll

pid	process
4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4820	Bugreport-524770.dll

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2912-130-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-131-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2912-173-0x00000000045F0000-0x0000000004662000-memory.dmp	upx
behavioral2/memory/2912-174-0x00000000045F0000-0x0000000004662000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe	upx
behavioral2/memory/4500-180-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-179-0x0000000010000000-0x000000001003F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe	upx
behavioral2/memory/4500-182-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-177-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-184-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-186-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-188-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-190-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-192-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-194-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-196-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-222-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/4500-223-0x0000000002570000-0x00000000025E2000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

description ioc process

File opened for modification \??\PhysicalDrive0 888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe = "11001"	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe = "1"	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\International\CpMRU	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

pid	process
2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

pid	process
2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exeBugreport-524770.dll

pid	process
2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
4820	Bugreport-524770.dll

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe

description	pid	process	target process
PID 2912 wrote to memory of 4500	2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
PID 2912 wrote to memory of 4500	2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
PID 2912 wrote to memory of 4500	2912	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
PID 4500 wrote to memory of 4820	4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe	Bugreport-524770.dll
PID 4500 wrote to memory of 4820	4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe	Bugreport-524770.dll
PID 4500 wrote to memory of 4820	4500	888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe	Bugreport-524770.dll

C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
"C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe"
1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
"C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe" ÃüÁîÆô¶¯
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524770.dll
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524770.dll Bugreport %E8%BD%AC%E5%8F%91%E9%87%8D%20
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Filesize
1.2MB

MD5
08aa8cac57157ae59c0665c6e0f7b33c

SHA1
b727d630d6ecb05c6ec83b37778363711ba08b6f

SHA256
e5d2164a279e4ae38c8e70b0396b70ba7fc2a1e4c4468e4de58cfaa99f6324bf

SHA512
b42928b16cd246a8dc976c96d55aab37a609019366b3e595164bcc9ae9e66d5f86420872a85c8881f83e610f29697fc83c7d3038b55462e5f3dc3f111b39007e

Download Submit
C:\Users\Admin\AppData\Local\Temp\888e0940fba3c3c8a3d85d1b9bc21583ee01d8b2879d88b2a5596a22f4c20704.exe
Filesize
1.2MB

MD5
08aa8cac57157ae59c0665c6e0f7b33c

SHA1
b727d630d6ecb05c6ec83b37778363711ba08b6f

SHA256
e5d2164a279e4ae38c8e70b0396b70ba7fc2a1e4c4468e4de58cfaa99f6324bf

SHA512
b42928b16cd246a8dc976c96d55aab37a609019366b3e595164bcc9ae9e66d5f86420872a85c8881f83e610f29697fc83c7d3038b55462e5f3dc3f111b39007e

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524770.dll
Filesize
164KB

MD5
c433f6f01f9bfb2a07fd468e377a02f0

SHA1
68518d44ddf9ed2370b653b1c0535df04b8de3cd

SHA256
f2c1cb41a6f9024ecc38ef1bbe7b620f2dc536e55725539c0d00e69310bc7e5d

SHA512
c35891d3fbb5a19f1476feb96ee7cd49137a75a18c0e31eb315fc5c8b0d46eac4d99f79efff6c61a75da6e7be42e320678211187f0df5f312c0476e3666d860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524770.dll
Filesize
164KB

MD5
c433f6f01f9bfb2a07fd468e377a02f0

SHA1
68518d44ddf9ed2370b653b1c0535df04b8de3cd

SHA256
f2c1cb41a6f9024ecc38ef1bbe7b620f2dc536e55725539c0d00e69310bc7e5d

SHA512
c35891d3fbb5a19f1476feb96ee7cd49137a75a18c0e31eb315fc5c8b0d46eac4d99f79efff6c61a75da6e7be42e320678211187f0df5f312c0476e3666d860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini
Filesize
81B

MD5
5f8a942e0def071f989fd2d5f71e37a8

SHA1
e51b59e16a330c14fe57e77ef5517ce0cd0560a0

SHA256
87d769a1b722cb544ff72195e72801a4fc1f25262f0977532876d40723be35df

SHA512
d1dccbefb7b3c5b0484a3733a56837ca7f664b0ce457f7b8b766756e9046b7fe5b526eaba5e6791da75eef20e7701cfb347031dbba1aaa313af279146bf47e9e

Download Submit
memory/2912-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-130-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-173-0x00000000045F0000-0x0000000004662000-memory.dmp

Filesize
456KB

Download
memory/2912-174-0x00000000045F0000-0x0000000004662000-memory.dmp

Filesize
456KB

Download
memory/2912-131-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2912-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4500-196-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-192-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-184-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-186-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-182-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-190-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-177-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-194-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-188-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-222-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-223-0x0000000002570000-0x00000000025E2000-memory.dmp

Filesize
456KB

Download
memory/4500-179-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4500-175-0x0000000000000000-mapping.dmp

Download
memory/4500-180-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4820-224-0x0000000000000000-mapping.dmp

Download
memory/4820-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads