0963c3554c63a46c79fc03c813a6ae317b49deb47279e2e51cf339c801486756

Analysis

max time kernel
141s
max time network
129s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 02:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SY.bin.exe
Size

5.0MB
MD5

a25a987008a0014a858f879cf610ebd9
SHA1

6a8795769baabfd47dc3e4cfa960db5f8d460974
SHA256

0963c3554c63a46c79fc03c813a6ae317b49deb47279e2e51cf339c801486756
SHA512

035e40331886e007a5b135e3b8f352ee2ba8e78bd6cd4201f6ba00c8c8cb7e3490e9bba7674c8d85a5810ef3b1f71c117fb4decc91093b25990b679a3605a653
SSDEEP

98304:AGUFlFI8Fylp0h1j4KnXXlDEhdHP5LnfVhr5Id3rO3ja16dDG:AGUFlFIPpw12dHPFnfVF5KyTaQ1G

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1348	SY.bin.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1348-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-103-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-105-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-107-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-109-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-111-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-113-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SY.bin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1348	SY.bin.exe
1348	SY.bin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	SY.bin.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1348	SY.bin.exe
1348	SY.bin.exe
1348	SY.bin.exe
1348	SY.bin.exe

C:\Users\Admin\AppData\Local\Temp\SY.bin.exe
"C:\Users\Admin\AppData\Local\Temp\SY.bin.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\voouerDrv.dll

Filesize
4.6MB

MD5
6abe6dad8a153138d6a2123026b48bbc

SHA1
9f37030b6b4a8f101a620c26b6f4695de5d64995

SHA256
abb3fb37cf183205290f46b00417323ff2ee7950b1e30d7ccbe8a15717fb2b2e

SHA512
e693bdabe81f92179e1ce37e158d1f4c86ceb5330a3134169b01605f43bfd0b4e002f497236caa645ab4511a79835415069f31ec6b9dc2063916aff9b7d155ef

Download Submit
memory/1348-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1348-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-82-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download
memory/1348-103-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-94-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1348-54-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download
memory/1348-56-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download
memory/1348-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-105-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-107-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-109-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-111-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-113-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-114-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1348-116-0x00000000039A0000-0x00000000041CB000-memory.dmp

Filesize
8.2MB

Download
memory/1348-119-0x00000000039A0000-0x00000000041CB000-memory.dmp

Filesize
8.2MB

Download
memory/1348-120-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1348-117-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1348-121-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1348-123-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1348-125-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1348-128-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1348-130-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1348-149-0x0000000075760000-0x0000000075924000-memory.dmp

Filesize
1.8MB

Download
memory/1348-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-152-0x00000000039A0000-0x00000000041CB000-memory.dmp

Filesize
8.2MB

Download
memory/1348-153-0x00000000039A0000-0x00000000041CB000-memory.dmp

Filesize
8.2MB

Download
memory/1348-154-0x0000000075760000-0x0000000075924000-memory.dmp

Filesize
1.8MB

Download