81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f

General

Target

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Size

1.3MB
MD5

0fadc09ff72014be0b6b54239226d438
SHA1

f21a0d5a67973ee2340f64c1bad7f84cf98911f2
SHA256

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f
SHA512

83283ba9cdc17255f6a6d6087ec7baa3133977c237bd188d733d3a18d29c2dc37540dd32baf0ebbe1453485b218a1c887fc92f693dddeaf33b217af870427171

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exeBugreport-459042.dll

pid process

1760 81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1404 Bugreport-459042.dll

pid	process
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1404	Bugreport-459042.dll

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1376-55-0x00000000026C0000-0x0000000002732000-memory.dmp	upx
behavioral1/memory/1376-56-0x00000000026C0000-0x0000000002732000-memory.dmp	upx
behavioral1/memory/1376-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-99-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1376-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	upx
C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	upx
behavioral1/memory/1760-108-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1760-122-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1760-120-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1760-118-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1760-116-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1760-114-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1760-112-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1760-110-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1760-107-0x0000000010000000-0x000000001003F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	upx
behavioral1/memory/1760-105-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1760-151-0x00000000024C0000-0x0000000002532000-memory.dmp	upx
behavioral1/memory/1760-150-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

pid	process
1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

description ioc process

File opened for modification \??\PhysicalDrive0 81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

pid	process
1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

pid	process
1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exeBugreport-459042.dll

pid	process
1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1404	Bugreport-459042.dll

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

description	pid	process	target process
PID 1376 wrote to memory of 1760	1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 1376 wrote to memory of 1760	1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 1376 wrote to memory of 1760	1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 1376 wrote to memory of 1760	1376	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 1760 wrote to memory of 1404	1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-459042.dll
PID 1760 wrote to memory of 1404	1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-459042.dll
PID 1760 wrote to memory of 1404	1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-459042.dll
PID 1760 wrote to memory of 1404	1760	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-459042.dll

C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
"C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
"C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe" ÃüÁîÆô¶¯
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-459042.dll
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-459042.dll Bugreport %E8%AF%84%E8%AE%BA%E7%82%B9%20
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Filesize
1.2MB

MD5
da0974d6450fb67cd2d8d8730be50223

SHA1
cbf06544078b77229ad5d38bcb0af88abbe38424

SHA256
f4b6642af72a7a0ee5c2622caac393797d81e2fcfcfe8e6f7c487b5139787d42

SHA512
6af001748e3dcf6e7670ca95d0df298b270f36d488aa52619ea14373adb8278a463ac5e5e344cf7538aae581f389d52f55f8cd118d774a60500a5be6a91b4dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Filesize
1.2MB

MD5
da0974d6450fb67cd2d8d8730be50223

SHA1
cbf06544078b77229ad5d38bcb0af88abbe38424

SHA256
f4b6642af72a7a0ee5c2622caac393797d81e2fcfcfe8e6f7c487b5139787d42

SHA512
6af001748e3dcf6e7670ca95d0df298b270f36d488aa52619ea14373adb8278a463ac5e5e344cf7538aae581f389d52f55f8cd118d774a60500a5be6a91b4dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-459042.dll
Filesize
164KB

MD5
0edd22ab675c05c749df2493a536f195

SHA1
e2d4d53225dee6c02154e190e0f0bbdb13fc6be4

SHA256
d788d10af977f5cbdf90918395d2737dc4da85fd3b5b09f0082962f6c497e636

SHA512
7deb116773d3996ee2c0cc3d38ecc9d8ef6fbca3aca681a47b884c562df4bdc0ad9fc9e587a27b590e4bc74e376671dd345b454d5d994ac652fd6f9b401853ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini
Filesize
81B

MD5
2fab0745ae9bbc98c31ebf4aa13ca1d6

SHA1
b29406f7c5c0368014c926eda6fc159a263eabc1

SHA256
39f5f591d291fdf77925a4f6f144a46bcf4c0c32abbb4cdcd295e0a766eafd97

SHA512
3eba2454d2b2732b6687123102b1334063f2355edb7812c532939101505c6d2814b2036b80cc176be9ae3f948ba217f195c8b4e14f732d850bf1e8e4cd64aa4c

Download Submit
\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Filesize
1.2MB

MD5
da0974d6450fb67cd2d8d8730be50223

SHA1
cbf06544078b77229ad5d38bcb0af88abbe38424

SHA256
f4b6642af72a7a0ee5c2622caac393797d81e2fcfcfe8e6f7c487b5139787d42

SHA512
6af001748e3dcf6e7670ca95d0df298b270f36d488aa52619ea14373adb8278a463ac5e5e344cf7538aae581f389d52f55f8cd118d774a60500a5be6a91b4dfb

Download Submit
\Users\Admin\AppData\Local\Temp\data\Bugreport-459042.dll
Filesize
164KB

MD5
0edd22ab675c05c749df2493a536f195

SHA1
e2d4d53225dee6c02154e190e0f0bbdb13fc6be4

SHA256
d788d10af977f5cbdf90918395d2737dc4da85fd3b5b09f0082962f6c497e636

SHA512
7deb116773d3996ee2c0cc3d38ecc9d8ef6fbca3aca681a47b884c562df4bdc0ad9fc9e587a27b590e4bc74e376671dd345b454d5d994ac652fd6f9b401853ce

Download Submit
\Users\Admin\AppData\Local\Temp\data\Bugreport-459042.dll
Filesize
164KB

MD5
0edd22ab675c05c749df2493a536f195

SHA1
e2d4d53225dee6c02154e190e0f0bbdb13fc6be4

SHA256
d788d10af977f5cbdf90918395d2737dc4da85fd3b5b09f0082962f6c497e636

SHA512
7deb116773d3996ee2c0cc3d38ecc9d8ef6fbca3aca681a47b884c562df4bdc0ad9fc9e587a27b590e4bc74e376671dd345b454d5d994ac652fd6f9b401853ce

Download Submit
memory/1376-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-54-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1376-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-55-0x00000000026C0000-0x0000000002732000-memory.dmp

Filesize
456KB

Download
memory/1376-56-0x00000000026C0000-0x0000000002732000-memory.dmp

Filesize
456KB

Download
memory/1376-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1376-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1404-158-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1404-154-0x0000000000000000-mapping.dmp

Download
memory/1760-102-0x0000000000000000-mapping.dmp

Download
memory/1760-107-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-116-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-105-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-114-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-151-0x00000000024C0000-0x0000000002532000-memory.dmp

Filesize
456KB

Download
memory/1760-150-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-118-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-110-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-120-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-112-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-122-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1760-108-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads