18b2dbb8e841d1dec7f78133337cacf10660e137606c9ae828da82208e8a64c7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2023 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

定制版.exe
Size

2.1MB
MD5

aae1b4342f51b3d86c079495d51e3c14
SHA1

339b0b3d3c9731c4635967ef0204a9632652d7b7
SHA256

18b2dbb8e841d1dec7f78133337cacf10660e137606c9ae828da82208e8a64c7
SHA512

646c774e6cfe1cc028b3a8b96115b1b6e957e4beb3f88c6afbd85689b307ce53a6d558750a8bf34b6f0e90e611d11e18b43964e7c42119c22d4862e7add76c70
SSDEEP

24576:ej4xwmbjW8Xi7UxyhKGQnNO3/Pi0vhTrlwTYs42cYbDyGWBVGZu8BlscURqxbhto:emxHnNWxXhAyGWv4uAPx9to

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000900000002316c-189.dat	acprotect
behavioral2/files/0x000900000002316c-191.dat	acprotect
behavioral2/files/0x000900000002316c-193.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2920	定制版.exe
2920	定制版.exe
2920	定制版.exe
2920	定制版.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2920-134-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-133-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-135-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-136-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-138-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-140-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-142-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-144-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-146-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-148-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-150-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-152-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-154-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-156-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-158-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-160-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-162-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-164-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-166-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-168-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-170-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-172-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-174-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-176-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/2920-177-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/files/0x000900000002316c-189.dat	upx
behavioral2/files/0x000900000002316c-191.dat	upx
behavioral2/files/0x000900000002316c-193.dat	upx
behavioral2/memory/2920-194-0x0000000004BC0000-0x00000000050A2000-memory.dmp	upx
behavioral2/memory/2920-195-0x0000000004BC0000-0x00000000050A2000-memory.dmp	upx
behavioral2/memory/2920-201-0x0000000004BC0000-0x00000000050A2000-memory.dmp	upx
behavioral2/memory/2920-204-0x0000000004BC0000-0x00000000050A2000-memory.dmp	upx
behavioral2/memory/2920-419-0x0000000004BC0000-0x00000000050A2000-memory.dmp	upx
behavioral2/memory/2920-438-0x0000000004BC0000-0x00000000050A2000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	定制版.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\windows Find2\DmReg.dll	定制版.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	定制版.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2920	定制版.exe
2920	定制版.exe
2920	定制版.exe

C:\Users\Admin\AppData\Local\Temp\定制版.exe
"C:\Users\Admin\AppData\Local\Temp\定制版.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\windows Find2\DmReg.dll

Filesize
52KB

MD5
fdc8b75a37017141831e3421479307be

SHA1
f6a08cc570d5e5bc4218da376ca353d46d62790d

SHA256
2a37ce301490bd4b7c5d02b768b054705fe4620db6ef81061718c1fe89c9f27e

SHA512
d74e2de28523317c928965affa464cef6ba5c4da9ab05d30a79a4d3bbb59284d68331b5735c705cf73e155cf3a42b01ef5cd7219c72c242eed6b711090066537

Download Submit
C:\Program Files\windows Find2\DmReg.dll

Filesize
52KB

MD5
fdc8b75a37017141831e3421479307be

SHA1
f6a08cc570d5e5bc4218da376ca353d46d62790d

SHA256
2a37ce301490bd4b7c5d02b768b054705fe4620db6ef81061718c1fe89c9f27e

SHA512
d74e2de28523317c928965affa464cef6ba5c4da9ab05d30a79a4d3bbb59284d68331b5735c705cf73e155cf3a42b01ef5cd7219c72c242eed6b711090066537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\42JDD8EA\ptqrlogin[1].js

Filesize
51B

MD5
db40a2f52e6254c0cc3f8fe9870984d3

SHA1
747d27f736a3f85d9a64642f5f444fd78a7b314d

SHA256
1bae6806ddef5b2aef8cda73b4a1d0f35cb7bd3a3e234aa140e0cb6c0ecfcb80

SHA512
9cd92839f23600e183e416d783898c69ba1251b3b297a2b36ec193e6eb56ead634664d9b202ee5e3d4bfd42f896e64e158f5802257ff22b5d33117d17117145d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccc.dll

Filesize
3.6MB

MD5
434ae2cc38a273b4068cbd59b2596009

SHA1
64e7ba77119c34280d04554d71c7c467c201bfc4

SHA256
a3487289da617e34a779866c9117e7da7f7799356ad6e5394405a55d20258dc2

SHA512
818c8ae6bee43ac5c4f6d33d1d21ac3bd7a7133aafb25c0f793129706273138051ba847da90a033dcfbfda08c44d22efd2923b277da377883792fc69de95ca90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccc.dll

Filesize
3.6MB

MD5
434ae2cc38a273b4068cbd59b2596009

SHA1
64e7ba77119c34280d04554d71c7c467c201bfc4

SHA256
a3487289da617e34a779866c9117e7da7f7799356ad6e5394405a55d20258dc2

SHA512
818c8ae6bee43ac5c4f6d33d1d21ac3bd7a7133aafb25c0f793129706273138051ba847da90a033dcfbfda08c44d22efd2923b277da377883792fc69de95ca90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccc.dll

Filesize
3.6MB

MD5
434ae2cc38a273b4068cbd59b2596009

SHA1
64e7ba77119c34280d04554d71c7c467c201bfc4

SHA256
a3487289da617e34a779866c9117e7da7f7799356ad6e5394405a55d20258dc2

SHA512
818c8ae6bee43ac5c4f6d33d1d21ac3bd7a7133aafb25c0f793129706273138051ba847da90a033dcfbfda08c44d22efd2923b277da377883792fc69de95ca90

Download Submit
memory/2920-174-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-140-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-146-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-148-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-150-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-152-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-154-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-156-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-158-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-160-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-162-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-164-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-166-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-168-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-170-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-172-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-134-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-176-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-177-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-142-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-184-0x0000000002A90000-0x0000000002A9F000-memory.dmp

Filesize
60KB

Download
memory/2920-144-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-188-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2920-138-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-136-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-135-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-194-0x0000000004BC0000-0x00000000050A2000-memory.dmp

Filesize
4.9MB

Download
memory/2920-195-0x0000000004BC0000-0x00000000050A2000-memory.dmp

Filesize
4.9MB

Download
memory/2920-196-0x00000000050B0000-0x00000000058CB000-memory.dmp

Filesize
8.1MB

Download
memory/2920-197-0x0000000005990000-0x000000000628A000-memory.dmp

Filesize
9.0MB

Download
memory/2920-198-0x00000000062B0000-0x00000000062B2000-memory.dmp

Filesize
8KB

Download
memory/2920-199-0x0000000006290000-0x00000000062A6000-memory.dmp

Filesize
88KB

Download
memory/2920-201-0x0000000004BC0000-0x00000000050A2000-memory.dmp

Filesize
4.9MB

Download
memory/2920-204-0x0000000004BC0000-0x00000000050A2000-memory.dmp

Filesize
4.9MB

Download
memory/2920-208-0x00000000050B0000-0x00000000058CB000-memory.dmp

Filesize
8.1MB

Download
memory/2920-213-0x0000000005990000-0x000000000628A000-memory.dmp

Filesize
9.0MB

Download
memory/2920-214-0x00000000062B0000-0x00000000062B2000-memory.dmp

Filesize
8KB

Download
memory/2920-133-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2920-219-0x0000000006290000-0x00000000062A6000-memory.dmp

Filesize
88KB

Download
memory/2920-419-0x0000000004BC0000-0x00000000050A2000-memory.dmp

Filesize
4.9MB

Download
memory/2920-438-0x0000000004BC0000-0x00000000050A2000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads