61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd

Analysis

max time kernel
34s
max time network
98s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/06/2023, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe
Size

5.8MB
MD5

a667b2dd0089600c4106fcc5e2d215c0
SHA1

e226aaca862224f6cc8348accf3b4464e0ad3741
SHA256

61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd
SHA512

a2c27b4c42d99ebbe1c3a35c268922b2e613abf491cbee32de13ff79340c54d3ecfb157e56f27f99e2c08fbe0b68d459616d8e36c85a168fff36d490f6d23944
SSDEEP

98304:zX55fiwwWVfqPGCPG0Z2Hb57nVuUikaH5gBxNEjYS2/+:zuww3Zab57nPraH2rNEjYSW+

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1988	DumpUper.exe

Loads dropped DLL 8 IoCs

pid	Process
1232	61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe
1232	61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe
1232	61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe
1988	DumpUper.exe
1988	DumpUper.exe
1988	DumpUper.exe
1988	DumpUper.exe
1988	DumpUper.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe
File opened for modification	\??\PhysicalDrive0	DumpUper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	DumpUper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	DumpUper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	DumpUper.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1988	DumpUper.exe
1988	DumpUper.exe
1988	DumpUper.exe
1988	DumpUper.exe
1988	DumpUper.exe
1988	DumpUper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1988	DumpUper.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1988	1232	61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe	29
PID 1232 wrote to memory of 1988	1232	61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe	29
PID 1232 wrote to memory of 1988	1232	61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe	29
PID 1232 wrote to memory of 1988	1232	61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe	29

C:\Users\Admin\AppData\Local\Temp\61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe
"C:\Users\Admin\AppData\Local\Temp\61a8a4a365edf225943d7fb5f27827c7730df5c34189e2dac1f5f23c089f79dd.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\Utils\DumpUper.exe
  "C:\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\Utils\DumpUper.exe" --pep=50851628 --pid=1232 --tid=1072 --src=catainstall --ver=1.2023.1005.513 --rep=1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2286.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\7z.dll

Filesize
1.1MB

MD5
2ab776c5c3d0907bd0379a9f28faa552

SHA1
3830c73548f0ddd9e6b4d8519fd8c1e49797449c

SHA256
cd5d367e02d7a8a48f7ce97fe4d9b3b30d554031523e79c9e4aa3dd6eedb0ed8

SHA512
67d25ad243f8e05dcab3efc9651cd16f8e094aa11ddc04322457b5ecfebfca64ad762cb0fb26616660fd3051be54071b26f99270c814fe916637cea1e6e55993

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\NetBridge.dll

Filesize
238KB

MD5
8786d469338c30e0ba9fedfc62bd5197

SHA1
5fb12028ceae9772f938e1b98b699f0e02e32718

SHA256
beeaf8b72f7008e9adabacfcd85e32a50747a0dfb5c86802aeb973bd1f5c3d2f

SHA512
5db1e5b78e62cda81a63e8e712e720f87a7c7a539237a55a9098c076f9fb4e0b5adb83383c23657b4ccc90c117e55e3946a399cdf3d15cb94444b203d9d6c45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\Utils\DumpUper.exe

Filesize
1.0MB

MD5
eae07326b209814995a435d657ffa46e

SHA1
df58c2248aa64722da47b24f4a60379d408239e5

SHA256
a8246af966f52e36ed8f2444e378e5e6c7f3f4988e9ede19c6f876aaf8abdbfe

SHA512
3f9accd44e59ec811e9e52d939a7b991b60bc453dd946fb46bbd4162908295be582f5ad99dd434f35324f472bc76a7fde91858f73b9dac2236d1eade5dae5881

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\auth.dll

Filesize
646KB

MD5
ffda1cc904157c18535af8a5278f83b4

SHA1
54fd0c98b543db436a42d81c4b3e778a1913b929

SHA256
969abfceb54b61a705eb757af3cf47c583f11e16d56d1596a3804ddf328930ce

SHA512
6cdffee12abd53e51db606e52cf1b577fdbdfb2e57ef06d5d4e57e837910fd1f6a7c831722aac180ee445a6400aaac1dc624e341868b8f1936cb895b63c5e5f6

Download Submit
\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\7z.dll

Filesize
1.1MB

MD5
2ab776c5c3d0907bd0379a9f28faa552

SHA1
3830c73548f0ddd9e6b4d8519fd8c1e49797449c

SHA256
cd5d367e02d7a8a48f7ce97fe4d9b3b30d554031523e79c9e4aa3dd6eedb0ed8

SHA512
67d25ad243f8e05dcab3efc9651cd16f8e094aa11ddc04322457b5ecfebfca64ad762cb0fb26616660fd3051be54071b26f99270c814fe916637cea1e6e55993

Download Submit
\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\7z.dll

Filesize
1.1MB

MD5
2ab776c5c3d0907bd0379a9f28faa552

SHA1
3830c73548f0ddd9e6b4d8519fd8c1e49797449c

SHA256
cd5d367e02d7a8a48f7ce97fe4d9b3b30d554031523e79c9e4aa3dd6eedb0ed8

SHA512
67d25ad243f8e05dcab3efc9651cd16f8e094aa11ddc04322457b5ecfebfca64ad762cb0fb26616660fd3051be54071b26f99270c814fe916637cea1e6e55993

Download Submit
\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\7z.dll

Filesize
1.1MB

MD5
2ab776c5c3d0907bd0379a9f28faa552

SHA1
3830c73548f0ddd9e6b4d8519fd8c1e49797449c

SHA256
cd5d367e02d7a8a48f7ce97fe4d9b3b30d554031523e79c9e4aa3dd6eedb0ed8

SHA512
67d25ad243f8e05dcab3efc9651cd16f8e094aa11ddc04322457b5ecfebfca64ad762cb0fb26616660fd3051be54071b26f99270c814fe916637cea1e6e55993

Download Submit
\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\NetBridge.dll

Filesize
238KB

MD5
8786d469338c30e0ba9fedfc62bd5197

SHA1
5fb12028ceae9772f938e1b98b699f0e02e32718

SHA256
beeaf8b72f7008e9adabacfcd85e32a50747a0dfb5c86802aeb973bd1f5c3d2f

SHA512
5db1e5b78e62cda81a63e8e712e720f87a7c7a539237a55a9098c076f9fb4e0b5adb83383c23657b4ccc90c117e55e3946a399cdf3d15cb94444b203d9d6c45c

Download Submit
\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\Utils\DumpUper.exe

Filesize
1.0MB

MD5
eae07326b209814995a435d657ffa46e

SHA1
df58c2248aa64722da47b24f4a60379d408239e5

SHA256
a8246af966f52e36ed8f2444e378e5e6c7f3f4988e9ede19c6f876aaf8abdbfe

SHA512
3f9accd44e59ec811e9e52d939a7b991b60bc453dd946fb46bbd4162908295be582f5ad99dd434f35324f472bc76a7fde91858f73b9dac2236d1eade5dae5881

Download Submit
\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\auth.dll

Filesize
646KB

MD5
ffda1cc904157c18535af8a5278f83b4

SHA1
54fd0c98b543db436a42d81c4b3e778a1913b929

SHA256
969abfceb54b61a705eb757af3cf47c583f11e16d56d1596a3804ddf328930ce

SHA512
6cdffee12abd53e51db606e52cf1b577fdbdfb2e57ef06d5d4e57e837910fd1f6a7c831722aac180ee445a6400aaac1dc624e341868b8f1936cb895b63c5e5f6

Download Submit
\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\auth.dll

Filesize
646KB

MD5
ffda1cc904157c18535af8a5278f83b4

SHA1
54fd0c98b543db436a42d81c4b3e778a1913b929

SHA256
969abfceb54b61a705eb757af3cf47c583f11e16d56d1596a3804ddf328930ce

SHA512
6cdffee12abd53e51db606e52cf1b577fdbdfb2e57ef06d5d4e57e837910fd1f6a7c831722aac180ee445a6400aaac1dc624e341868b8f1936cb895b63c5e5f6

Download Submit
\Users\Admin\AppData\Local\Temp\{F7A15E33-308C-410e-B480-9BCAD13445C9}.tmp\auth.dll

Filesize
646KB

MD5
ffda1cc904157c18535af8a5278f83b4

SHA1
54fd0c98b543db436a42d81c4b3e778a1913b929

SHA256
969abfceb54b61a705eb757af3cf47c583f11e16d56d1596a3804ddf328930ce

SHA512
6cdffee12abd53e51db606e52cf1b577fdbdfb2e57ef06d5d4e57e837910fd1f6a7c831722aac180ee445a6400aaac1dc624e341868b8f1936cb895b63c5e5f6

Download Submit
memory/1988-149-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download