Extracted

• • Target

    PatchAP.23.x.exe

  • Size

    1.7MB

  • MD5

    5ce67938a175370ffd35be6aa0dca982

  • SHA1

    2ad8efb5209461a3a8ba25871e8f85e565a92f12

  • SHA256

    3461d0dafd691ca66a472ff1b3a786c506062766dce32c41eb4850103e810699

  • SHA512

    104d04999a4425334e95e7ebab69f4f38d9bbffb0a900d6fdf61052629b291ba8ff1defd691ab1fbeba98c6f0bdfb70cc020237753ba2164b808cbba7c5a3f3e

  • SSDEEP

    24576:EscgHM6TdCH1eASiL5yPSvUwdKKT6CgxUzF7v0FRrqvw07qIdIZiJWUkN3P/qPuW:5c2M6T0H0lPSvJ5WdCBsUwrIzJWrVdvU

  Score

  10^/10

  bootkitevasionpersistencespywarestealertrojanupx

  • Modifies WinLogon for persistence

    persistence

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Registers COM server for autorun

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  behavioral1