Overview

overview

7

Static

static

7

b627fbdf2b...30.exe

windows7-x64

7

b627fbdf2b...30.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b627fbdf2bd7432d05b174aa755cdc7adf26f554eb80325d7b413805e8f72230.exe

  • Size

    1.7MB

  • MD5

    36d7b01417ad4b875540ce25e299bbc5

  • SHA1

    065065d6de36bb46d41c53dcc7c20df92a39172f

  • SHA256

    b627fbdf2bd7432d05b174aa755cdc7adf26f554eb80325d7b413805e8f72230

  • SHA512

    7355cdbe93693561f82148e2aecfae2fa2fa3fcd17c4ce1937f623e1b2d67a5d71f2bdacd20aebc1506723358919e19d076c33eaf3c3b094677a805a45a79a8a

  • SSDEEP

    49152:zenXYUvoBk3PgfuNJc3GAd9H6nZzF0JdOIs/3Bcjc:CnXlo27AdVQ0OIsf24

Score
7/10
bootkitpersistenceupx

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b627fbdf2bd7432d05b174aa755cdc7adf26f554eb80325d7b413805e8f72230.exe
    "C:\Users\Admin\AppData\Local\Temp\b627fbdf2bd7432d05b174aa755cdc7adf26f554eb80325d7b413805e8f72230.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Tencent\QMStart\QMStartInstall_20230322224413.Log
    Filesize

    1KB

    MD5

    980a840ae6e771f382fd187004323e83

    SHA1

    36b388e19905016509c71f7530be0beda57974b4

    SHA256

    649d58ad8e0c9025ea95c4bb40e119794c81136a7185d03408f85c9490526d16

    SHA512

    188a6e4f37fc3c57e2e0bf4cf1f356782a290f159c1cccfa0a233bd74d4f915955f6261f6fedb22a0f3aeee13be1d62b477bafbce36657bf25f2569814b60c9b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Tencent\QMStart\~6c01e5\dr.dll
    Filesize

    427KB

    MD5

    68a34245c650829c613e9068bdc6f79d

    SHA1

    f877ad637c2097915ba894fdccb1a596a52a726e

    SHA256

    c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf

    SHA512

    1c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe

    Download Submit
  • memory/2024-67-0x0000000000400000-0x0000000000549000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2024-71-0x0000000000400000-0x0000000000549000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2024-72-0x0000000000400000-0x0000000000549000-memory.dmp
    Filesize

    1.3MB

    Download