0963c3554c63a46c79fc03c813a6ae317b49deb47279e2e51cf339c801486756

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2023 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SY.bin.exe
Size

5.0MB
MD5

a25a987008a0014a858f879cf610ebd9
SHA1

6a8795769baabfd47dc3e4cfa960db5f8d460974
SHA256

0963c3554c63a46c79fc03c813a6ae317b49deb47279e2e51cf339c801486756
SHA512

035e40331886e007a5b135e3b8f352ee2ba8e78bd6cd4201f6ba00c8c8cb7e3490e9bba7674c8d85a5810ef3b1f71c117fb4decc91093b25990b679a3605a653
SSDEEP

98304:AGUFlFI8Fylp0h1j4KnXXlDEhdHP5LnfVhr5Id3rO3ja16dDG:AGUFlFIPpw12dHPFnfVF5KyTaQ1G

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2800	SY.bin.exe
2800	SY.bin.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2800-137-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-139-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-141-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-142-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-146-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-152-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-155-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-157-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-159-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-165-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-167-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-169-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-171-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-173-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-175-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-177-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-179-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-181-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-188-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-190-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-192-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2800-204-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SY.bin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2800	SY.bin.exe
2800	SY.bin.exe
2800	SY.bin.exe
2800	SY.bin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	SY.bin.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2800	SY.bin.exe
2800	SY.bin.exe
2800	SY.bin.exe
2800	SY.bin.exe

C:\Users\Admin\AppData\Local\Temp\SY.bin.exe
"C:\Users\Admin\AppData\Local\Temp\SY.bin.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\voouerDrv.dll

Filesize
4.6MB

MD5
6abe6dad8a153138d6a2123026b48bbc

SHA1
9f37030b6b4a8f101a620c26b6f4695de5d64995

SHA256
abb3fb37cf183205290f46b00417323ff2ee7950b1e30d7ccbe8a15717fb2b2e

SHA512
e693bdabe81f92179e1ce37e158d1f4c86ceb5330a3134169b01605f43bfd0b4e002f497236caa645ab4511a79835415069f31ec6b9dc2063916aff9b7d155ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\voouerDrv.dll

Filesize
4.6MB

MD5
6abe6dad8a153138d6a2123026b48bbc

SHA1
9f37030b6b4a8f101a620c26b6f4695de5d64995

SHA256
abb3fb37cf183205290f46b00417323ff2ee7950b1e30d7ccbe8a15717fb2b2e

SHA512
e693bdabe81f92179e1ce37e158d1f4c86ceb5330a3134169b01605f43bfd0b4e002f497236caa645ab4511a79835415069f31ec6b9dc2063916aff9b7d155ef

Download Submit
memory/2800-173-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-205-0x0000000075010000-0x0000000075460000-memory.dmp

Filesize
4.3MB

Download
memory/2800-137-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-139-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-141-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-146-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-155-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-157-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-159-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-160-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download
memory/2800-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-165-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-164-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2800-167-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-169-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-171-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-209-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download
memory/2800-136-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download
memory/2800-135-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download
memory/2800-179-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-181-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-177-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-134-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2800-188-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-190-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-192-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-193-0x0000000004A70000-0x000000000529B000-memory.dmp

Filesize
8.2MB

Download
memory/2800-195-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/2800-196-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2800-198-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/2800-197-0x0000000004A70000-0x000000000529B000-memory.dmp

Filesize
8.2MB

Download
memory/2800-194-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/2800-199-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/2800-200-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/2800-204-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-175-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2800-206-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download
memory/2800-207-0x0000000004A70000-0x000000000529B000-memory.dmp

Filesize
8.2MB

Download
memory/2800-208-0x0000000075010000-0x0000000075460000-memory.dmp

Filesize
4.3MB

Download
memory/2800-133-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download
memory/2800-214-0x0000000000400000-0x0000000000EDF000-memory.dmp

Filesize
10.9MB

Download