0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c

Analysis

max time kernel
190s
max time network
228s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe
Size

748KB
MD5

c6f237f5dc01f8799976986285f64a6f
SHA1

b05d6cdd25bb4878b947096a43342c564ec5cd98
SHA256

0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c
SHA512

82558951013b0561d557a4102ee21cd3e3fbadea3fbc7b6c0c74b4e1c75ce306f7679477dc682f50f365fef33e8ffcc80d5c74d42127b87e592f99b9e789f3b4
SSDEEP

12288:QK4SzOnd/1KReU744mkKIGldg8q3tQKdAAMwAG68hZyl+DjmLsz6KTfNoVS+EVGf:Mm4QLjv0dgTdQFAMwX68hZ8+DjmLg6iS

Score

9^/10

bootkit persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000022df1-133.dat	acprotect
behavioral2/files/0x0007000000022df1-136.dat	acprotect
behavioral2/files/0x0007000000022df1-139.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
3720	0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe
3364	rundll32.exe
3868	0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84
PID 3364 set thread context of 3868	3364	rundll32.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2400	3868	WerFault.exe	84

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 3364	3720	0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe	83
PID 3720 wrote to memory of 3364	3720	0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe	83
PID 3720 wrote to memory of 3364	3720	0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe	83
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84
PID 3364 wrote to memory of 3868	3364	rundll32.exe	84

C:\Users\Admin\AppData\Local\Temp\0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe
"C:\Users\Admin\AppData\Local\Temp\0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\V22007~1.EPE,EncryptPE_Init2
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Users\Admin\AppData\Local\Temp\0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe
    C:\Users\Admin\AppData\Local\Temp\0d78a022196c705bb56cb2524a61074259ba59ae2fb1a0b9ad6629c49221cd9c.exe
    3⤵
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:3868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 732
      4⤵
      Program crash
      PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3868 -ip 3868
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V220071201.EPE

Filesize
489KB

MD5
b53f01dd944cd2a25eeee3cb8bc22355

SHA1
5489b92bab9c50d62f6042fbc50b25700a3c8137

SHA256
2e8d7ac98b4abaaddbe6bd3a66916e4ea8a87f5ce5615a6d13ee4f5c0c4cc3e8

SHA512
f4f9c5459e54c073a6042e4bab5a3c9e3d098989203c3021591f30f5a37f80eb77929b7881c18f1a69608500b3cab0822c79ddc6f77b1b16301131c3e41bb894

Download Submit
C:\Users\Admin\AppData\Local\Temp\V220071201.EPE

Filesize
489KB

MD5
b53f01dd944cd2a25eeee3cb8bc22355

SHA1
5489b92bab9c50d62f6042fbc50b25700a3c8137

SHA256
2e8d7ac98b4abaaddbe6bd3a66916e4ea8a87f5ce5615a6d13ee4f5c0c4cc3e8

SHA512
f4f9c5459e54c073a6042e4bab5a3c9e3d098989203c3021591f30f5a37f80eb77929b7881c18f1a69608500b3cab0822c79ddc6f77b1b16301131c3e41bb894

Download Submit
C:\Users\Admin\AppData\Local\Temp\V220071201.EPE

Filesize
489KB

MD5
b53f01dd944cd2a25eeee3cb8bc22355

SHA1
5489b92bab9c50d62f6042fbc50b25700a3c8137

SHA256
2e8d7ac98b4abaaddbe6bd3a66916e4ea8a87f5ce5615a6d13ee4f5c0c4cc3e8

SHA512
f4f9c5459e54c073a6042e4bab5a3c9e3d098989203c3021591f30f5a37f80eb77929b7881c18f1a69608500b3cab0822c79ddc6f77b1b16301131c3e41bb894

Download Submit
memory/3364-151-0x0000000071120000-0x0000000071267000-memory.dmp

Filesize
1.3MB

Download
memory/3364-138-0x0000000071120000-0x0000000071267000-memory.dmp

Filesize
1.3MB

Download
memory/3720-132-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3720-135-0x0000000071120000-0x0000000071267000-memory.dmp

Filesize
1.3MB

Download
memory/3720-140-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3720-142-0x0000000071120000-0x0000000071267000-memory.dmp

Filesize
1.3MB

Download
memory/3868-141-0x00000000711F52DC-0x00000000711FC68C-memory.dmp

Filesize
28KB

Download
memory/3868-144-0x00000000021C8000-0x00000000021CC000-memory.dmp

Filesize
16KB

Download
memory/3868-145-0x000000000052D781-0x000000000052D973-memory.dmp

Filesize
498B

Download
memory/3868-146-0x000000000052D781-0x000000000052D973-memory.dmp

Filesize
498B

Download
memory/3868-147-0x0000000071120000-0x0000000071267000-memory.dmp

Filesize
1.3MB

Download
memory/3868-148-0x00000000712098E4-0x000000007120B7F0-memory.dmp

Filesize
7KB

Download
memory/3868-150-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/3868-152-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3868-153-0x0000000071120000-0x0000000071267000-memory.dmp

Filesize
1.3MB

Download
memory/3868-154-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download