aacf9aa69f796273438327be6d804d20837272b331eb3b7689b431148a07c88d

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

腾讯会议软件.exe
Size

2.0MB
MD5

5b9e8345fab7397985cd60729797abc6
SHA1

21d8e0efd71f4f00e8138360e56e72dbf533890a
SHA256

aacf9aa69f796273438327be6d804d20837272b331eb3b7689b431148a07c88d
SHA512

c505609e8de8c29f78490833f34a355d41eb3a6057919aa7f23ab9ae7ac83cef3b64f0116bba0ca145dbb17b1c2c3b18546d31af2397b82260f4cf708a709f75
SSDEEP

49152:R/BU6vSPotkoQsbJhPI2q056dN216k4xIURegVMw:R/BU6vSPotPQsbJhPI2qexFJEegVMw

Score

9^/10

bootkit evasion persistence trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000122e7-55.dat	acprotect

Downloads MZ/PE file

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000122e7-55.dat	upx
behavioral1/memory/948-56-0x0000000010000000-0x00000000103D1000-memory.dmp	upx
behavioral1/memory/948-57-0x0000000010000000-0x00000000103D1000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
948	腾讯会议软件.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	腾讯会议软件.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	腾讯会议软件.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idex = "b022a492ee4bb9dd6620bc595583bca9"	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\PacketPath_166_508_1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdb_semrjgj.dll"	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\svrid = "fgmruoslqpbxnh2qeztvlwpq9ern"	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	腾讯会议软件.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}\idno = "1"	腾讯会议软件.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "4A46C44D4322260B655202490A81A11E"	腾讯会议软件.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	腾讯会议软件.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe
948	腾讯会议软件.exe

C:\Users\Admin\AppData\Local\Temp\腾讯会议软件.exe
"C:\Users\Admin\AppData\Local\Temp\腾讯会议软件.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll

Filesize
87.0MB

MD5
c397a0085bf97f3f2bf526b5c791cfdf

SHA1
0b9c663a318a4c06ad816f5afff9ae8831d50254

SHA256
f8fde5d1e78f100b60c8ce5ff8e6f49848452e30126b83d6bc65596cb594d3d6

SHA512
badd7791f2c6d34f392ef80ff17ace2852bb9deeb4649f811c5c8b4b4ff67a9ca396c7ec2176142c4724df0cb321732e9d9528765e3ef802b2ba6c8b9b552c00

Download Submit
memory/948-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/948-56-0x0000000010000000-0x00000000103D1000-memory.dmp

Filesize
3.8MB

Download
memory/948-57-0x0000000010000000-0x00000000103D1000-memory.dmp

Filesize
3.8MB

Download