c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a

General

Target

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
Size

14.7MB
MD5

514cf70b8c755ebdc5827d196ec24e2a
SHA1

10d8eefe53c348966e84064429328389ad051fae
SHA256

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a
SHA512

ba7dfeda6900e9af3dfdb12c5331069de5f7897f7752028671d7ef93e20b66bcd3c7d812b0679cfcdf443062ddf91cb1f0e450aa35c4bf03c8c628d59ce2d3f8
SSDEEP

393216:MsuK9sTjOt8phu8NUxXbFbaWpbciOk1EA2i+0D:v9cOt8G8Wv3pbJWA

Score

8^/10

bootkit persistence upx vmprotect

Malware Config

Signatures

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1728-84-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-86-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-85-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-88-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-90-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-92-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-94-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-96-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-98-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-100-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-102-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-104-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-106-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-108-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-110-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-112-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-114-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-118-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-116-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-120-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-122-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-127-0x00000000042F0000-0x000000000432E000-memory.dmp	upx
behavioral1/memory/1728-149-0x00000000042F0000-0x000000000432E000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1728-55-0x0000000000400000-0x000000000216D000-memory.dmp	vmprotect
behavioral1/memory/1728-56-0x0000000000400000-0x000000000216D000-memory.dmp	vmprotect
behavioral1/memory/1728-58-0x0000000000400000-0x000000000216D000-memory.dmp	vmprotect
behavioral1/memory/1728-148-0x0000000000400000-0x000000000216D000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

pid process

1728 c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

description ioc process

File opened for modification \??\PhysicalDrive0 c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

pid	process
1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

description	pid	process	target process
PID 1728 set thread context of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 set thread context of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

calc.execalc.exec553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.2345.com/?28879"	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879"	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879"	calc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.2345.com/?28879"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879"	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.2345.com/?28879"	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	calc.exe

Modifies Internet Explorer start page 1 TTPs 3 IoCs

stealer

Modify Registry

T1112

Processes:

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.execalc.execalc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?28879"	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?28879"	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?28879"	calc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

pid	process
1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

description pid process

Token: SeDebugPrivilege 1728 c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

description	pid	process
Token: SeDebugPrivilege	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.execalc.execalc.exe

pid	process
1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
296	calc.exe
296	calc.exe
1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
852	calc.exe
852	calc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe

description	pid	process	target process
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 296	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe
PID 1728 wrote to memory of 852	1728	c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe
"C:\Users\Admin\AppData\Local\Temp\c553310e8bda393daa50abdf8bf4aa456c2e7ba309fd86888ba07463824f5d0a.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\calc.exe
calc.exe
2⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:296

C:\Windows\SysWOW64\calc.exe
calc.exe
2⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\lazycommon.dll
Filesize
676KB

MD5
033d1db88147b6dab9a1795027a87e74

SHA1
f6e9f5e82af3e9546711d42aab705a494e851d44

SHA256
a85b830cec14449763cc174d600324372798f2bb8c5276546419cc6b2563db1c

SHA512
7689fc5812fc89e27f5691259c15e4109b3ecfd1933393e1d9ce2d63acc37149aa4cf6124c353b62b39352162e9509d7b49caeaabc1618c8e495a14cef095e33

Download Submit
memory/296-77-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/296-82-0x0000000000401000-0x0000000000466000-memory.dmp

Filesize
404KB

Download
memory/296-59-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/296-60-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/296-62-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/296-65-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/296-68-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/296-71-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/296-73-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/296-75-0x000000000049C290-mapping.dmp

Download
memory/852-144-0x000000000049C290-mapping.dmp

Download
memory/1728-90-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-100-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-80-0x0000000010000000-0x00000000100AA000-memory.dmp

Filesize
680KB

Download
memory/1728-81-0x0000000004030000-0x00000000040B3000-memory.dmp

Filesize
524KB

Download
memory/1728-56-0x0000000000400000-0x000000000216D000-memory.dmp

Filesize
29.4MB

Download
memory/1728-83-0x0000000010000000-0x00000000100AA000-memory.dmp

Filesize
680KB

Download
memory/1728-84-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-86-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-85-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-88-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1728-92-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-94-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-96-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-98-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-58-0x0000000000400000-0x000000000216D000-memory.dmp

Filesize
29.4MB

Download
memory/1728-102-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-104-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-106-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-108-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-110-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-112-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-114-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-118-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-116-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-120-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-122-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-127-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-55-0x0000000000400000-0x000000000216D000-memory.dmp

Filesize
29.4MB

Download
memory/1728-148-0x0000000000400000-0x000000000216D000-memory.dmp

Filesize
29.4MB

Download
memory/1728-149-0x00000000042F0000-0x000000000432E000-memory.dmp

Filesize
248KB

Download
memory/1728-150-0x0000000010000000-0x00000000100AA000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads