aacf9aa69f796273438327be6d804d20837272b331eb3b7689b431148a07c88d

General

Target

腾讯会议软件.exe
Size

2.0MB
MD5

5b9e8345fab7397985cd60729797abc6
SHA1

21d8e0efd71f4f00e8138360e56e72dbf533890a
SHA256

aacf9aa69f796273438327be6d804d20837272b331eb3b7689b431148a07c88d
SHA512

c505609e8de8c29f78490833f34a355d41eb3a6057919aa7f23ab9ae7ac83cef3b64f0116bba0ca145dbb17b1c2c3b18546d31af2397b82260f4cf708a709f75
SSDEEP

49152:R/BU6vSPotkoQsbJhPI2q056dN216k4xIURegVMw:R/BU6vSPotPQsbJhPI2qexFJEegVMw

Score

9^/10

bootkit evasion persistence trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	acprotect

Downloads MZ/PE file

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll	upx
behavioral1/memory/948-56-0x0000000010000000-0x00000000103D1000-memory.dmp	upx
behavioral1/memory/948-57-0x0000000010000000-0x00000000103D1000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

腾讯会议软件.exe

pid process

948 腾讯会议软件.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

腾讯会议软件.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 腾讯会议软件.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

腾讯会议软件.exe

description ioc process

File opened for modification \??\PhysicalDrive0 腾讯会议软件.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	腾讯会议软件.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	腾讯会议软件.exe

Modifies registry class 14 IoCs

Processes:

腾讯会议软件.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "b022a492ee4bb9dd6620bc595583bca9"	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\PacketPath_166_508_1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdb_semrjgj.dll"	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "fgmruoslqpbxnh2qeztvlwpq9ern"	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "4A46C44D4322260B655202490A81A11E"	腾讯会议软件.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

腾讯会议软件.exe

description pid process

Token: SeDebugPrivilege 948 腾讯会议软件.exe

description	pid	process
Token: SeDebugPrivilege	948	腾讯会议软件.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

腾讯会议软件.exe

pid	process
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

腾讯会议软件.exe

pid	process
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe

C:\Users\Admin\AppData\Local\Temp\腾讯会议软件.exe
"C:\Users\Admin\AppData\Local\Temp\腾讯会议软件.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll
Filesize
87.0MB

MD5
c397a0085bf97f3f2bf526b5c791cfdf

SHA1
0b9c663a318a4c06ad816f5afff9ae8831d50254

SHA256
f8fde5d1e78f100b60c8ce5ff8e6f49848452e30126b83d6bc65596cb594d3d6

SHA512
badd7791f2c6d34f392ef80ff17ace2852bb9deeb4649f811c5c8b4b4ff67a9ca396c7ec2176142c4724df0cb321732e9d9528765e3ef802b2ba6c8b9b552c00

Download Submit
memory/948-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/948-56-0x0000000010000000-0x00000000103D1000-memory.dmp

Filesize
3.8MB

Download
memory/948-57-0x0000000010000000-0x00000000103D1000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads