9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518

General

Target

9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe
Size

1.6MB
MD5

df3928fee4a7ee54d6cca953b26487f0
SHA1

fd47fb3ed31758c175b129c09662b349c5330b84
SHA256

9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518
SHA512

f76b4e8ebcc4a0b153d2f9974d3083cf6ac0a8ab5dcec44be926d3985666402dbd8f94592d128460c5b688bef7c3e917c123cd398d5bdad924cd3bfbad68bfbf
SSDEEP

49152:7kxfmPeQLzhVrhhPTvM6QI4AiS4LZe2vy:7mOPZJjNTv7QsiS4L7q

Score

8^/10

bootkit evasion persistence trojan upx

Malware Config

Signatures

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1016-56-0x0000000004BE0000-0x0000000004C52000-memory.dmp	upx
behavioral1/memory/1016-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-72-0x0000000004BE0000-0x0000000004C52000-memory.dmp	upx
behavioral1/memory/1016-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-82-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-102-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1016-105-0x0000000004BE0000-0x0000000004C52000-memory.dmp	upx
behavioral1/memory/1016-106-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1016	9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1016	9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe
1016	9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1016	9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe
1016	9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe
1016	9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe

C:\Users\Admin\AppData\Local\Temp\9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe
"C:\Users\Admin\AppData\Local\Temp\9f9ee9f3d5a2d56c7092dbcdba46b56b5befc723df51e489886d33c1e3861518.exe"
1⤵
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-54-0x0000000000400000-0x0000000000774000-memory.dmp

Filesize
3.5MB

Download
memory/1016-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1016-56-0x0000000004BE0000-0x0000000004C52000-memory.dmp

Filesize
456KB

Download
memory/1016-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-71-0x0000000000400000-0x0000000000774000-memory.dmp

Filesize
3.5MB

Download
memory/1016-72-0x0000000004BE0000-0x0000000004C52000-memory.dmp

Filesize
456KB

Download
memory/1016-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-102-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1016-103-0x0000000000400000-0x0000000000774000-memory.dmp

Filesize
3.5MB

Download
memory/1016-104-0x0000000000400000-0x0000000000774000-memory.dmp

Filesize
3.5MB

Download
memory/1016-105-0x0000000004BE0000-0x0000000004C52000-memory.dmp

Filesize
456KB

Download
memory/1016-106-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads