9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c

General

Target

9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
Size

268KB
MD5

64fe22577fa976e2d42d122a04a74553
SHA1

b82d473befb2d938ed1e93b179030d2e23a00c16
SHA256

9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c
SHA512

dedee7831a277f7a46f906d7cb5d4e6af6add5b5b6abaa697440beb57123aa58663f4cf56cd6c6cc953809db3299f04473f167aa8655f9966222416633c3598a
SSDEEP

3072:vwVIvoOqzSaoV9K9QO17bPFcpDuBplAa+0GgPvD1FzfwVYZODFZaFFw811Cx2w:PoCQ4DAp2a+ZgPJFzfq2OD7/Aoxh

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2076-144-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4636 set thread context of 3120	4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	85
PID 3120 set thread context of 2076	3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4276	2076	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 3120	4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	85
PID 4636 wrote to memory of 3120	4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	85
PID 4636 wrote to memory of 3120	4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	85
PID 4636 wrote to memory of 3120	4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	85
PID 4636 wrote to memory of 3120	4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	85
PID 4636 wrote to memory of 3120	4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	85
PID 4636 wrote to memory of 3120	4636	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	85
PID 3120 wrote to memory of 2076	3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	87
PID 3120 wrote to memory of 2076	3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	87
PID 3120 wrote to memory of 2076	3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	87
PID 3120 wrote to memory of 2076	3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	87
PID 3120 wrote to memory of 2076	3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	87
PID 3120 wrote to memory of 2076	3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	87
PID 3120 wrote to memory of 2076	3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	87
PID 3120 wrote to memory of 2076	3120	9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe	87

C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
"C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
  C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
    C:\Users\Admin\AppData\Local\Temp\9354661c3f9559fa7ae07649a00c3f8682c9d7e0187c3daf24b570dab2930f9c.exe
    3⤵
    PID:2076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 12
      4⤵
      Program crash
      PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2076 -ip 2076
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2076-143-0x0000000000000000-mapping.dmp

Download
memory/2076-144-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3120-134-0x0000000000000000-mapping.dmp

Download
memory/3120-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3120-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3120-138-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3120-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3120-142-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3120-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing