d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c

Analysis

max time kernel
28s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
03/07/2023, 19:54

Target

d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c.exe
Size

864KB
MD5

d20634b3f941a334cc2ec4a345ded5e7
SHA1

d3fe78e09703dd690f9122042864c38f0e1759a5
SHA256

d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c
SHA512

d2bbabe52d5bafc219af781b262e14efb3e55d080ab93e94458e07c605d74d99e733832576d6863b21f95f7359c7726bb869de910ad1c4069146818e66b132de
SSDEEP

12288:1lz1SVHQQqsmrhDopSxYy65lD9ywoetA/Sou6b7MP+Dd2xX:QVwQz4N76k5ey/So/7MP+h2xX

Score

7^/10

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1352-54-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/1352-55-0x0000000001E80000-0x0000000001E8B000-memory.dmp	upx
behavioral1/memory/1352-58-0x0000000001E80000-0x0000000001E8B000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

Bootkit

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1352	d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c.exe
1352	d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c.exe
1352	d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c.exe
1352	d21b104a9e38d93892e368a76bf4e70f0ef8d7ecb63e6a69dd254037bfb7725c.exe

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1352-54-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1352-55-0x0000000001E80000-0x0000000001E8B000-memory.dmp

Filesize
44KB

Download
memory/1352-56-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1352-57-0x0000000000730000-0x0000000000760000-memory.dmp

Filesize
192KB

Download
memory/1352-58-0x0000000001E80000-0x0000000001E8B000-memory.dmp

Filesize
44KB

Download