9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c

General

Target

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Size

1.4MB
MD5

ae2b4316622770a885d6b35bc868a630
SHA1

aee31066081ae58b3b335490e87be87b1a40be07
SHA256

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c
SHA512

2e28696fd1c449c074701b1484e077b62d3c20242901ba144186b423eabce0d162da5ba787fb7ffa2874edd77295ca1e3267d807d08dcc66477e9031d5ea6d10

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exeBugreport-328156.dll

pid process

3888 9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3684 Bugreport-328156.dll

pid	process
3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3684	Bugreport-328156.dll

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5072-130-0x0000000004430000-0x00000000044A2000-memory.dmp	upx
behavioral2/memory/5072-131-0x0000000004430000-0x00000000044A2000-memory.dmp	upx
behavioral2/memory/5072-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-136-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/5072-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe	upx
behavioral2/memory/3888-177-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-179-0x0000000010000000-0x000000001003F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe	upx
behavioral2/memory/3888-180-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-182-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-184-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-186-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-188-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-190-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-192-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-194-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-196-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3888-222-0x00000000025A0000-0x0000000002612000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

description ioc process

File opened for modification \??\PhysicalDrive0 9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe = "11001"	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe = "1"	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\International\CpMRU	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

pid	process
5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

pid	process
5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exeBugreport-328156.dll

pid	process
5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
3684	Bugreport-328156.dll

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe

description	pid	process	target process
PID 5072 wrote to memory of 3888	5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
PID 5072 wrote to memory of 3888	5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
PID 5072 wrote to memory of 3888	5072	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
PID 3888 wrote to memory of 3684	3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe	Bugreport-328156.dll
PID 3888 wrote to memory of 3684	3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe	Bugreport-328156.dll
PID 3888 wrote to memory of 3684	3888	9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe	Bugreport-328156.dll

C:\Users\Admin\AppData\Local\Temp\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
"C:\Users\Admin\AppData\Local\Temp\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe"
1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
"C:\Users\Admin\AppData\Local\Temp\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe" ÃüÁîÆô¶¯
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-328156.dll
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-328156.dll Bugreport %E9%AA%8C%E8%AF%81%E6%B6%88%20
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Filesize
1.2MB

MD5
ad1bcf38040144b16cd7092488e11c3f

SHA1
24bc7adab481e64065708c6002ade073f996dc1e

SHA256
eb2987be24216bec63b0a22e642049be4ff26916a447997de15ae0b6c2838e9c

SHA512
77a529ee09ad0f9996d2da05fac084b8c519896734e63aa03fdc548338f362c38aa37c87a890a5fc777c8b32c3c17d3939d8c224ab6aa72fd4e72e083e067f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c22f3a6eebaeefbca837db841da8b22a6220881aa0896a8d9a9c84ab10e4c3c.exe
Filesize
1.2MB

MD5
ad1bcf38040144b16cd7092488e11c3f

SHA1
24bc7adab481e64065708c6002ade073f996dc1e

SHA256
eb2987be24216bec63b0a22e642049be4ff26916a447997de15ae0b6c2838e9c

SHA512
77a529ee09ad0f9996d2da05fac084b8c519896734e63aa03fdc548338f362c38aa37c87a890a5fc777c8b32c3c17d3939d8c224ab6aa72fd4e72e083e067f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-328156.dll
Filesize
164KB

MD5
f66b5788096c02d0502cb74585014186

SHA1
4683670fcabf071efd19e41bea13aa0c5843574e

SHA256
c5dc5ea0a09125d602deff6eed9dc983afc4d7554443cbf29ed6981d4e92d428

SHA512
733c39bc34fe6d65a22db9889e4acbebfb47adb07823f65d862ef2934ce02a6e650d2bcdaf0a05924ae342d43bb45f9e9a95ff14a7e1f48708bd6d0a074429ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-328156.dll
Filesize
164KB

MD5
f66b5788096c02d0502cb74585014186

SHA1
4683670fcabf071efd19e41bea13aa0c5843574e

SHA256
c5dc5ea0a09125d602deff6eed9dc983afc4d7554443cbf29ed6981d4e92d428

SHA512
733c39bc34fe6d65a22db9889e4acbebfb47adb07823f65d862ef2934ce02a6e650d2bcdaf0a05924ae342d43bb45f9e9a95ff14a7e1f48708bd6d0a074429ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini
Filesize
81B

MD5
373c1622de62990f9f9b25563f2f18a3

SHA1
cc355a5ad3617a2039f446fdab62c0b5fbdefae6

SHA256
d958546e7507e9bf0386af83e0c882f20e37081b5a941b544b457e02321cfa0f

SHA512
68f3cceb7c25f62ea74b7fcf311ccbcda3d6b6a04380f9d2a33bf6a23c0938f99bddbc606fae834576f3982b621d58f4c918e45b9b584a7970d7ed38165ce4a8

Download Submit
memory/3684-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3684-223-0x0000000000000000-mapping.dmp

Download
memory/3888-190-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-194-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-192-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-175-0x0000000000000000-mapping.dmp

Download
memory/3888-188-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-186-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-184-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-182-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-180-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-196-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-179-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-177-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3888-222-0x00000000025A0000-0x0000000002612000-memory.dmp

Filesize
456KB

Download
memory/5072-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-130-0x0000000004430000-0x00000000044A2000-memory.dmp

Filesize
456KB

Download
memory/5072-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-136-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5072-131-0x0000000004430000-0x00000000044A2000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads