64bccd69f3c8c37f199da2cf627fd4e98353c8d58cf54d1670014da5d2ab4032

General

Target

淘淘淘宝论坛抢沙发软件/淘淘淘宝论坛沙发机.exe
Size

1.8MB
MD5

b44f2dae79eeffee0174ffa8babb685b
SHA1

caf10a193736a58a79e68ea711f46757d85fa0aa
SHA256

e320c00f5262fb1cd211af8ae64fdfbb5bd9cc35f125554663f1221c7bcd191e
SHA512

3d93e4a23a636b600ef989a290c688cea6b252597b99629f130658a4370d1f8e90792c857cec2a122d38ea5c4706323e957190a244c9df9a70b63fe993a17b34
SSDEEP

49152:+TpDJZ0UnBFPDMHWJjtI6DjqdA+zUZZsL:+tJZ0UPPOyjtvqd9U

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2016-58-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-60-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-61-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-62-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-65-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-63-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-69-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-67-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-75-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-77-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-73-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-71-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-81-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-79-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-85-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-89-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-87-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-95-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-93-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-101-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-103-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-99-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-97-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-91-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-83-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-105-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	淘淘淘宝论坛沙发机.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2016	淘淘淘宝论坛沙发机.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2016	淘淘淘宝论坛沙发机.exe
2016	淘淘淘宝论坛沙发机.exe
2016	淘淘淘宝论坛沙发机.exe
2016	淘淘淘宝论坛沙发机.exe
2016	淘淘淘宝论坛沙发机.exe
2016	淘淘淘宝论坛沙发机.exe

C:\Users\Admin\AppData\Local\Temp\淘淘淘宝论坛抢沙发软件\淘淘淘宝论坛沙发机.exe
"C:\Users\Admin\AppData\Local\Temp\淘淘淘宝论坛抢沙发软件\淘淘淘宝论坛沙发机.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/2016-55-0x0000000000400000-0x0000000000901000-memory.dmp

Filesize
5.0MB

Download
memory/2016-58-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-60-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-61-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-62-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-65-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-63-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-69-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-67-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-75-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-77-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-73-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-71-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-81-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-79-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-85-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-89-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-87-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-95-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-93-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-101-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-103-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-99-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-97-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-91-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-83-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-105-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-104-0x0000000000400000-0x0000000000901000-memory.dmp

Filesize
5.0MB

Download
memory/2016-106-0x0000000000400000-0x0000000000901000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing