81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f

General

Target

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Size

1.3MB
MD5

0fadc09ff72014be0b6b54239226d438
SHA1

f21a0d5a67973ee2340f64c1bad7f84cf98911f2
SHA256

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f
SHA512

83283ba9cdc17255f6a6d6087ec7baa3133977c237bd188d733d3a18d29c2dc37540dd32baf0ebbe1453485b218a1c887fc92f693dddeaf33b217af870427171

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exeBugreport-393300.dll

pid process

2036 81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
4408 Bugreport-393300.dll

pid	process
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
4408	Bugreport-393300.dll

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1792-130-0x0000000002800000-0x0000000002872000-memory.dmp	upx
behavioral2/memory/1792-131-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-135-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-137-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-139-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-141-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-145-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-146-0x0000000002800000-0x0000000002872000-memory.dmp	upx
behavioral2/memory/1792-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1792-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	upx
behavioral2/memory/2036-177-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-180-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-179-0x0000000010000000-0x000000001003F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	upx
behavioral2/memory/2036-182-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-184-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-186-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-188-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-190-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-192-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-194-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-196-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-222-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2036-223-0x0000000002700000-0x0000000002772000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

description ioc process

File opened for modification \??\PhysicalDrive0 81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

pid	process
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

pid	process
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exeBugreport-393300.dll

pid	process
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
4408	Bugreport-393300.dll

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe

description	pid	process	target process
PID 1792 wrote to memory of 2036	1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 1792 wrote to memory of 2036	1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 1792 wrote to memory of 2036	1792	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
PID 2036 wrote to memory of 4408	2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-393300.dll
PID 2036 wrote to memory of 4408	2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-393300.dll
PID 2036 wrote to memory of 4408	2036	81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe	Bugreport-393300.dll

C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
"C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
"C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe" ÃüÁîÆô¶¯
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393300.dll
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393300.dll Bugreport %E8%AF%84%E8%AE%BA%E7%82%B9%20
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Filesize
1.2MB

MD5
91d93485c9eda71042ae993a91235920

SHA1
b221362245697eb2725df006a69e26dcb23a03dd

SHA256
a47cce7ec0c279b63775d7ea8a490c64ef4ce3fc91035a629687b4a0a3d77f3e

SHA512
b51c3d2b75a78411867d02e927471e4ae481aae7f1c94083667d78066b5443432b6d52d3cd421873b8036f346643807020af9dbad15260a69c9b8687ffc85a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\81c452de78c83531b2ef905b6d15d12f796e02265f823151b29407d7e14a340f.exe
Filesize
1.2MB

MD5
91d93485c9eda71042ae993a91235920

SHA1
b221362245697eb2725df006a69e26dcb23a03dd

SHA256
a47cce7ec0c279b63775d7ea8a490c64ef4ce3fc91035a629687b4a0a3d77f3e

SHA512
b51c3d2b75a78411867d02e927471e4ae481aae7f1c94083667d78066b5443432b6d52d3cd421873b8036f346643807020af9dbad15260a69c9b8687ffc85a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393300.dll
Filesize
164KB

MD5
4e6939c151b2c5924e84c9927edcdbd5

SHA1
34fc9b985b0a83a190cc1bee944f3d93fb4123cb

SHA256
6d57bf57eb05a5fbcc4b1fd47d25a55a2680a2f36a06fc39891707746a086f73

SHA512
7e19d703a397bf678ff3f90c40e6f9e858fb8cd791e00c08d27614ad3469856b13d71a6635fe70dba0616a3a14b5d06578ac0c1eac7b77c670bdf26a51459eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393300.dll
Filesize
164KB

MD5
4e6939c151b2c5924e84c9927edcdbd5

SHA1
34fc9b985b0a83a190cc1bee944f3d93fb4123cb

SHA256
6d57bf57eb05a5fbcc4b1fd47d25a55a2680a2f36a06fc39891707746a086f73

SHA512
7e19d703a397bf678ff3f90c40e6f9e858fb8cd791e00c08d27614ad3469856b13d71a6635fe70dba0616a3a14b5d06578ac0c1eac7b77c670bdf26a51459eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini
Filesize
81B

MD5
40d17cdc5ceb49ee8c39fad3b716d0b7

SHA1
952746e3feae9b1333caba6ac506c3ff7659adbd

SHA256
72998704cdac2a9c660b0004a8a9c1ee3d742f927020d07b45bd8c2dbbcd9e19

SHA512
5523087e6f52c93970a06afc47d99ab86f50e6a6f5474905df2dc4f787c944b48a67cd62eb4ae7409e41e6821f766d1888b0e4380a3410581ce231244ec3f229

Download Submit
memory/1792-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-137-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-141-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-145-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-146-0x0000000002800000-0x0000000002872000-memory.dmp

Filesize
456KB

Download
memory/1792-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-130-0x0000000002800000-0x0000000002872000-memory.dmp

Filesize
456KB

Download
memory/1792-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-131-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-139-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1792-135-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2036-196-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-192-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-184-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-186-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-179-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-190-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-182-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-194-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-188-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-222-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-223-0x0000000002700000-0x0000000002772000-memory.dmp

Filesize
456KB

Download
memory/2036-175-0x0000000000000000-mapping.dmp

Download
memory/2036-180-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2036-177-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/4408-224-0x0000000000000000-mapping.dmp

Download
memory/4408-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads