ea5ccfdbf5fdf29f7984afd6e2dd13e8ab5072128dc361c463f7bd8ddc7d77e8

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2023 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NA_NA_327badac6039c8exeexe_JC.exe
Size

1.8MB
MD5

327badac6039c8debf1be72dbf78d5b5
SHA1

685e7e3feac0f2f3b0be0bd6c6e9402de5eadebd
SHA256

ea5ccfdbf5fdf29f7984afd6e2dd13e8ab5072128dc361c463f7bd8ddc7d77e8
SHA512

2f704edb4909715ff8a0513fba2243f0a0590c4731d7bbf95560d33016c389c36a4f6119ee1b0cc9fd9a2d0ddea49b16e28214c68dff55b27dd87f2f9f348187
SSDEEP

24576:EBgfFUqV89IQ48LVZyRx5zzbCDOnkkoqbWadw4BagBzX+lGB3kOOeSWosqj2fY72:E3Tnkow+lnOOexaXV8

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4060-135-0x0000000010000000-0x000000001000B000-memory.dmp	upx
behavioral2/memory/4060-137-0x0000000010000000-0x000000001000B000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

NA_NA_327badac6039c8exeexe_JC.exe

description ioc process

File opened for modification \??\PhysicalDrive0 NA_NA_327badac6039c8exeexe_JC.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5080 4060 WerFault.exe NA_NA_327badac6039c8exeexe_JC.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	NA_NA_327badac6039c8exeexe_JC.exe

pid	pid_target	process	target process
5080	4060	WerFault.exe	NA_NA_327badac6039c8exeexe_JC.exe

C:\Users\Admin\AppData\Local\Temp\NA_NA_327badac6039c8exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_327badac6039c8exeexe_JC.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:4060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 576
  2⤵
  - Program crash
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4060 -ip 4060
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4060-133-0x00000000024E0000-0x0000000002608000-memory.dmp

Filesize
1.2MB

Download
memory/4060-135-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/4060-136-0x00000000024E0000-0x0000000002608000-memory.dmp

Filesize
1.2MB

Download
memory/4060-137-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download