57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417

General

Target

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
Size

1.1MB
MD5

e22f5c3e65784a5cab601d04ac66108a
SHA1

e0d37a1d88520bf478e2799a04b119f83f53650f
SHA256

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417
SHA512

08977a8e85f306f31eac5a5dc45d2fe85f984c5f49c6866fe383d9ce86afba1dd837d7181f76d157893b7b1d89c9444a995de344984ede7141d9310003d03dee

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

pid process

4916 57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

pid	process
4916	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1540-130-0x0000000002660000-0x00000000026D2000-memory.dmp	upx
behavioral2/memory/1540-131-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-132-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-136-0x0000000002660000-0x00000000026D2000-memory.dmp	upx
behavioral2/memory/1540-135-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-138-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-140-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-154-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-158-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-160-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-168-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-170-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-172-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1540-174-0x0000000010000000-0x000000001003E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe	upx
behavioral2/memory/4916-177-0x00000000025F0000-0x0000000002662000-memory.dmp	upx
behavioral2/memory/4916-178-0x0000000010000000-0x000000001003E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe	upx
behavioral2/memory/4916-181-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-180-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-183-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-185-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-187-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-191-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-189-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-193-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-195-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-197-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4916-222-0x00000000025F0000-0x0000000002662000-memory.dmp	upx
behavioral2/memory/4916-223-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

description ioc process

File opened for modification \??\PhysicalDrive0 57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe = "11001"	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe = "1"	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

pid	process
1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
4916	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
4916	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

pid	process
1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

pid	process
1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
4916	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
4916	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
4916	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
4916	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

description	pid	process	target process
PID 1540 wrote to memory of 4916	1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
PID 1540 wrote to memory of 4916	1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
PID 1540 wrote to memory of 4916	1540	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe	57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe

C:\Users\Admin\AppData\Local\Temp\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
"C:\Users\Admin\AppData\Local\Temp\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe"
1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
"C:\Users\Admin\AppData\Local\Temp\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe" ÃüÁîÆô¶¯
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
Filesize
1.1MB

MD5
026d2b920336ec4bb6fcd8ec17da2772

SHA1
061c3a0d16a20e1232ac2c09f7742e2f23f83e52

SHA256
7f96c1cee0355fb1420e0fea31a020a44ce536cac056e475c28379c684f19332

SHA512
1beab515b8ac283583afd10b6711b4cb10a69681580eac5226848b25b31baf3fc800fb1b6871a7689ad21d44fb4be1ac6105d31662703e18568e0ee468123b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\57c5a1a41a3e366f43cef2b6d31b4970b92fc04b92b32489994a1abeeea77417.exe
Filesize
1.1MB

MD5
026d2b920336ec4bb6fcd8ec17da2772

SHA1
061c3a0d16a20e1232ac2c09f7742e2f23f83e52

SHA256
7f96c1cee0355fb1420e0fea31a020a44ce536cac056e475c28379c684f19332

SHA512
1beab515b8ac283583afd10b6711b4cb10a69681580eac5226848b25b31baf3fc800fb1b6871a7689ad21d44fb4be1ac6105d31662703e18568e0ee468123b5c

Download Submit
memory/1540-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-136-0x0000000002660000-0x00000000026D2000-memory.dmp

Filesize
456KB

Download
memory/1540-135-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-138-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-140-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-130-0x0000000002660000-0x00000000026D2000-memory.dmp

Filesize
456KB

Download
memory/1540-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-154-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-131-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-158-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-160-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-170-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-172-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-174-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-168-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1540-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-189-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-178-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-177-0x00000000025F0000-0x0000000002662000-memory.dmp

Filesize
456KB

Download
memory/4916-181-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-180-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-183-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-185-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-187-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-191-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-175-0x0000000000000000-mapping.dmp

Download
memory/4916-193-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-195-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-197-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4916-222-0x00000000025F0000-0x0000000002662000-memory.dmp

Filesize
456KB

Download
memory/4916-223-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads