34823b21f19729474452aef3cd77a533cc00828184ec0527384c0c3f0ca3d118

General

Target

XunLeiWebSetup10.1.18.500dl.exe
Size

4.3MB
MD5

325672640e45536fff962a44b0696118
SHA1

1c7da13a614a889b7d19d5bdcd2eaf91cd44bbae
SHA256

34823b21f19729474452aef3cd77a533cc00828184ec0527384c0c3f0ca3d118
SHA512

e5229aed7adb5a968ace8ffea3754ffed453a4989d0e67bf8e269da5e264f627fc9cd2c567e0544d3cbb9202a1719bafee6a32b8a7f020a34132c907f8c2213c
SSDEEP

98304:DDUV8CMjcqzgRARtrrltF4SLPpooaQZAQE:DDw8ChCRtrpkSRdZW

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2928	netsh.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XunLeiWebSetup10.1.18.500dl.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	XunLeiWebSetup10.1.18.500dl.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2928	2212	XunLeiWebSetup10.1.18.500dl.exe	28
PID 2212 wrote to memory of 2928	2212	XunLeiWebSetup10.1.18.500dl.exe	28
PID 2212 wrote to memory of 2928	2212	XunLeiWebSetup10.1.18.500dl.exe	28
PID 2212 wrote to memory of 2928	2212	XunLeiWebSetup10.1.18.500dl.exe	28

C:\Users\Admin\AppData\Local\Temp\XunLeiWebSetup10.1.18.500dl.exe
"C:\Users\Admin\AppData\Local\Temp\XunLeiWebSetup10.1.18.500dl.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\OnlineInstall\10.1.18.500\SDK\DownloadSDKServer.exe enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OnlineInstall\10.1.18.500\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
c93e65d6c18dda66acdcd469fbdc25d1

SHA1
c75e34ed3b7c01e6186ce86d814f53583ee57a68

SHA256
15539c0be4b922875338fc9ada9632d5f2e10caa837be73e4888243425f546f1

SHA512
da40c116c0b7b234960f5fcc987e666d1564c924e67ada1b9ab9505ff153c61c9e92d8e5674a8bcfe0a081cb73c116f388ac132f48dd59078c8fd3da77632f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\10.1.18.500\OnlineResource\resource\[email protected]

Filesize
920B

MD5
4eeb9225a989486ee4acbc15e98e8d0d

SHA1
4d7108e7f378d13f84dfe165c8dcb747040fe77d

SHA256
8ddded3ffa2e7de9dd107a8042979d1767caf5196f4d7307305b2d8758188d3b

SHA512
d9c9356bb22d8890af5911d9b058a0b499c869cdce1f55ec5e00270f47d2e3e682d2f8d7cdb28ff97f19998c8f33ba0b94844f28a0d5d148afa06b930bd8b284

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\10.1.18.500\OnlineResource\resource\[email protected]

Filesize
106B

MD5
92cbdb2849a0f3932240c4d27afebf54

SHA1
a891ce8810ec018c3fb4d770bc94d769d69b0b8c

SHA256
ce286acdd575c0a32861ddd2492c89e237eadbfb2bc9038519b2ea41d78931e1

SHA512
21f100771ce511ce67fd5caf95fc9c05059bdfd82b387963fc5f7f10fe937a13df70891a2a7ac9206c3825d3ccb5ece7300820f209b267612e4cc6ceeacf1e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\10.1.18.500\OnlineResource\resource\install_bkg.png

Filesize
47KB

MD5
fc9878da4d38a1bd434f6d2f8ae024b5

SHA1
69311fe14e84f352600798ba5f3903d6a0231695

SHA256
9593534403a316e7cc4e4e5bd39299d148f537f23696070a63f62afd9ddc3eb7

SHA512
eafff3413ff05676187e7e0664040b15890e73388ef42d8577b725f54b9afd5fc34d77018b87ec26b7267b76d383d95c9ca06edd68c3dcb1585102d306d38e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\10.1.18.500\OnlineResource\resource\[email protected]

Filesize
2KB

MD5
0b9f5964999a50b9300e4d99f81dfe81

SHA1
05dba7b2a6231c0a8749ece2a0175c645d9b804f

SHA256
33d6938e0f50272eaddf29941955cafc001ff0f7d9293ac986e4a75157235726

SHA512
05bf85a802b4302693560cc2a2b85a24507b48de5ec83feae36f2227e38577e8bdac845886529548e8a910aa4bdeace2f64a17fe4d25c84d86201dbb8de15473

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\10.1.18.500\OnlineResource\resource\[email protected]

Filesize
231B

MD5
088ca4fd8483ec962c977dce3b574d24

SHA1
0cc7c5c37759b22690c753d5c5b81263d6c87bdd

SHA256
0b2811f0fa8ea9debb67b0cbbc8eac0c6d74b48ee1f9bc22b57b6961e05ee504

SHA512
ae2582cc67b7d404278f2b3030bbab51d9e70bb701ded8af9548ca3cc05e3326a02942cd79409df26c9d0d1e452308fe26370250057c65edc6d4493ccdcf3964

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\10.1.18.500\OnlineResource\resource\[email protected]

Filesize
491B

MD5
a632bbf6f23887cd7a3f6d7c400d1e05

SHA1
fc372a3a763717ba2cba61987c42a8fda3024958

SHA256
0500dfbae46dffb61385bf56c43967569b0bbeb9ae621bf4ba4725b503a481c3

SHA512
3ab8fb78479c681f9cf3aa66b2173e2f0c55a69ccea03348661265fdad38907f02338e35eb2d68b0b9e502b169e4272e09df5b0e465659338cc18a134c2ab5bb

Download Submit
\Users\Admin\AppData\Local\Temp\OnlineInstall\10.1.18.500\OnlineResource\InstallEntry.dll

Filesize
1.0MB

MD5
fb00b57f51b520ae39925d6c1a98e284

SHA1
bb15fca4c3e08159936901d3d3d1c4474a834af9

SHA256
ed0192dcf6e76945e5263abb43137794b9e6fdccabe01d05497c04dc7c8ed8fc

SHA512
604ecd141664a4da753edc293d4f8fd43f298293ddbb749f7914ff276ed4dfa6800d41146d2a98cdfff000dacd647c3b4db81bec9a6f6bb0665b31a6fbc1537a

Download Submit
memory/2212-105-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2212-200-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads