81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f

Analysis

max time kernel
90s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Size

1.3MB
MD5

0fadc09ff72014be0b6b54239226d438
SHA1

f21a0d5a67973ee2340f64c1bad7f84cf98911f2
SHA256

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f
SHA512

83283ba9cdc17255f6a6d6087ec7baa3133977c237bd188d733d3a18d29c2dc37540dd32baf0ebbe1453485b218a1c887fc92f693dddeaf33b217af870427171

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exeBugreport-393300.dll

pid process

2036 81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
4408 Bugreport-393300.dll

pid	process
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
4408	Bugreport-393300.dll

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1792-130-0x0000000002800000-0x0000000002872000-memory.dmp	upx
behavioral2/memory/1792-131-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-135-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-137-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-139-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-141-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-145-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-146-0x0000000002800000-0x0000000002872000-memory.dmp	upx
behavioral2/memory/1792-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	upx
behavioral2/memory/2036-177-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-180-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-179-0x0000000010000000-0x000000001003F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	upx
behavioral2/memory/2036-182-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-184-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-186-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-188-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-190-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-192-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-194-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-196-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-222-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-223-0x0000000002700000-0x0000000002772000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

description ioc process

File opened for modification \??\PhysicalDrive0 81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

pid	process
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

pid	process
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exeBugreport-393300.dll

pid	process
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
4408	Bugreport-393300.dll

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

description	pid	process	target process
PID 1792 wrote to memory of 2036	1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 1792 wrote to memory of 2036	1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 1792 wrote to memory of 2036	1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 2036 wrote to memory of 4408	2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-393300.dll
PID 2036 wrote to memory of 4408	2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-393300.dll
PID 2036 wrote to memory of 4408	2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-393300.dll

C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
"C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
  "C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe" ÃüÁîÆô¶¯
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393300.dll
    C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393300.dll Bugreport %E8%AF%84%E8%AE%BA%E7%82%B9%20
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Filesize
1.2MB

MD5
91d93485c9eda71042ae993a91235920

SHA1
b221362245697eb2725df006a69e26dcb23a03dd

SHA256
a47cce7ec0c279b63775d7ea8a490c64ef4ce3fc91035a629687b4a0a3d77f3e

SHA512
b51c3d2b75a78411867d02e927471e4ae481aae7f1c94083667d78066b5443432b6d52d3cd421873b8036f346643807020af9dbad15260a69c9b8687ffc85a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Filesize
1.2MB

MD5
91d93485c9eda71042ae993a91235920

SHA1
b221362245697eb2725df006a69e26dcb23a03dd

SHA256
a47cce7ec0c279b63775d7ea8a490c64ef4ce3fc91035a629687b4a0a3d77f3e

SHA512
b51c3d2b75a78411867d02e927471e4ae481aae7f1c94083667d78066b5443432b6d52d3cd421873b8036f346643807020af9dbad15260a69c9b8687ffc85a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393300.dll

Filesize
164KB

MD5
4e6939c151b2c5924e84c9927edcdbd5

SHA1
34fc9b985b0a83a190cc1bee944f3d93fb4123cb

SHA256
6d57bf57eb05a5fbcc4b1fd47d25a55a2680a2f36a06fc39891707746a086f73

SHA512
7e19d703a397bf678ff3f90c40e6f9e858fb8cd791e00c08d27614ad3469856b13d71a6635fe70dba0616a3a14b5d06578ac0c1eac7b77c670bdf26a51459eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393300.dll

Filesize
164KB

MD5
4e6939c151b2c5924e84c9927edcdbd5

SHA1
34fc9b985b0a83a190cc1bee944f3d93fb4123cb

SHA256
6d57bf57eb05a5fbcc4b1fd47d25a55a2680a2f36a06fc39891707746a086f73

SHA512
7e19d703a397bf678ff3f90c40e6f9e858fb8cd791e00c08d27614ad3469856b13d71a6635fe70dba0616a3a14b5d06578ac0c1eac7b77c670bdf26a51459eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

Filesize
81B

MD5
40d17cdc5ceb49ee8c39fad3b716d0b7

SHA1
952746e3feae9b1333caba6ac506c3ff7659adbd

SHA256
72998704cdac2a9c660b0004a8a9c1ee3d742f927020d07b45bd8c2dbbcd9e19

SHA512
5523087e6f52c93970a06afc47d99ab86f50e6a6f5474905df2dc4f787c944b48a67cd62eb4ae7409e41e6821f766d1888b0e4380a3410581ce231244ec3f229

Download Submit
memory/1792-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-137-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-141-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-145-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-146-0x0000000002800000-0x0000000002872000-memory.dmp

Filesize
456KB

Download
memory/1792-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-130-0x0000000002800000-0x0000000002872000-memory.dmp

Filesize
456KB

Download
memory/1792-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-131-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-139-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-135-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2036-196-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-192-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-184-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-186-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-179-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-190-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-182-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-194-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-188-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-222-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-223-0x0000000002700000-0x0000000002772000-memory.dmp

Filesize
456KB

Download
memory/2036-175-0x0000000000000000-mapping.dmp

Download
memory/2036-180-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-177-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4408-224-0x0000000000000000-mapping.dmp

Download
memory/4408-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download