1223e1c72603b1b9faaa8a1ef5379626494a94884f8492e5cc710769b7801293

Analysis

max time kernel
266s
max time network
348s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbwmdjs_dtf.exe
Size

2.4MB
MD5

6513311f73feccd7f1b6475c17e5b531
SHA1

7427ab5cba88979baaf42867828623a97e902455
SHA256

de7c6857fecc81141b3aa01fd9a3f30e0ad63c8352a4265688fa1d74817fffba
SHA512

23f6406e5f8d346e6938bf7f2a8e0f9b910071b5f9d44e1fa5a42787820322f4fa62c15d7a259941671754ba1c1a49b5ad79379419bc8d7943a9bb4ddef2bd99
SSDEEP

49152:Ueixv5gjv451U21sZCg1ch16FRU1EzXIWWCG/RMj:cF2jv47UQoe+RUWbIHCG/R4

Score

9^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b00000001233d-55.dat	acprotect

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001233d-55.dat	upx
behavioral1/memory/1220-56-0x0000000010000000-0x0000000010059000-memory.dmp	upx
behavioral1/memory/1220-57-0x0000000010000000-0x0000000010059000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1220	dbwmdjs_dtf.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dbwmdjs_dtf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe
Token: 33	1220	dbwmdjs_dtf.exe
Token: SeIncBasePriorityPrivilege	1220	dbwmdjs_dtf.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1220	dbwmdjs_dtf.exe
1220	dbwmdjs_dtf.exe
1220	dbwmdjs_dtf.exe

C:\Users\Admin\AppData\Local\Temp\dbwmdjs_dtf.exe
"C:\Users\Admin\AppData\Local\Temp\dbwmdjs_dtf.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AntiVC.dll

Filesize
54KB

MD5
0420f862d69bb050bb25fabebfbb8edb

SHA1
897d1843f247a4820bff176f151d5a08203afcb1

SHA256
d1632d3224740e37d4c243b6be8ecf5d5a7ccb41dff3f1f9886e36cbd2104a13

SHA512
b0f86ee3cf82e32e138a8e1da79a0596da6f179bbb9c3e6673d57766860085d776ee2c34d4107cbac0bd569f9f5d30ba24c8f19d4b146ea8b8b889e782a3631d

Download Submit
memory/1220-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1220-56-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1220-57-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download