98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38

Analysis

max time kernel
35s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe
Size

2.9MB
MD5

b710eab109e1b61849733f251d99cd06
SHA1

b7278d18077cd698735ab82731d98909b3d7ab49
SHA256

98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38
SHA512

24c8235d000f52911d2695e1d68b205383320e9ec64ac11d4de46db20bbfd04d3e7532fab147b434468adff61db030c36c9944177ac816dde02f5532eb28a446
SSDEEP

49152:I7ElwOPT5lG4p6Y8Xagfv75FHEJIWL4rg+1IeAx7WayrHpkgCaWzi:mY75lG4p6dJv75FHEJIhfIeygH

Score

9^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jedata.dll	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jedata.dll	upx
behavioral1/memory/1928-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe

pid	process
1928	98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe
1928	98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe
1928	98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe

description ioc process

File opened for modification \??\PhysicalDrive0 98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe

Drops file in System32 directory 2 IoCs

Processes:

98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ESPI11.dll	98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe
File opened for modification	C:\Windows\SysWOW64\ESPI11.dll	98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe

pid	process
1928	98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe
1928	98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe
1928	98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe

C:\Users\Admin\AppData\Local\Temp\98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe
"C:\Users\Admin\AppData\Local\Temp\98dc684d94ccbe39cb9f147a4ae617ad44d058991e90dc1fa256b9a0d4907c38.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
\Users\Admin\AppData\Local\Temp\jedata.dll

Filesize
86KB

MD5
114054313070472cd1a6d7d28f7c5002

SHA1
9a044986e6101df1a126035da7326a50c3fe9a23

SHA256
e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1

SHA512
a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522

Download Submit
\Windows\SysWOW64\ESPI11.dll

Filesize
120KB

MD5
b4c2caaa15d4e505ad2858ab15eafb58

SHA1
a1c30a4d016f1c6bd3bf50e36767af8af166d59b

SHA256
93e03eadd330242f2394c15cd32857194e5b80f6300835ef77f8558ca70a2ef1

SHA512
09b5903a579685522a521cec3b6026ab0d7b9cff3099f032254dbd2b48fbbdd9a7411c0765049784c64f520d41916e681cae206a736b4fab1868f449e84b4bf2

Download Submit
memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-57-0x0000000000790000-0x00000000007B1000-memory.dmp

Filesize
132KB

Download
memory/1928-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download