7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024

General

Target

7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024.exe
Size

4.6MB
MD5

d5bd22840ac6f164c95f5119521f688f
SHA1

3783bcac32478a9839f5b9801791621eb1f6d282
SHA256

7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024
SHA512

64e684feb5bf87d174903325cc5ee3449c60141194f3dcd451a644ddb0af0f62ae6d506aa89986db1e0e25cfb85d7367ea0aeb9ad111fdb14cd2379ccb4eb2d7
SSDEEP

98304:RbbuXOLhjqEadfGUDOXiCUEw/RBzzR8hrAPiuxDSvAKvNO6vdnBY2DzilI:kowb+yAKRB+t7uxQ1sOm2Q

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000d000000012258-65.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
2564	7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024.exe
2564	7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000012258-65.dat	upx
behavioral1/memory/2564-67-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-74-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-79-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-81-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-82-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-83-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-84-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-85-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-86-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-87-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-88-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-89-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-90-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-91-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-92-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx
behavioral1/memory/2564-93-0x0000000002B00000-0x0000000002FE2000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2564	7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024.exe
2564	7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024.exe

C:\Users\Admin\AppData\Local\Temp\7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024.exe
"C:\Users\Admin\AppData\Local\Temp\7a9e8764b9469763c0d83f672b46ab66074b8d5ff75d40715648bfc19f719024.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\DmReg.dll

Filesize
52KB

MD5
fdc8b75a37017141831e3421479307be

SHA1
f6a08cc570d5e5bc4218da376ca353d46d62790d

SHA256
2a37ce301490bd4b7c5d02b768b054705fe4620db6ef81061718c1fe89c9f27e

SHA512
d74e2de28523317c928965affa464cef6ba5c4da9ab05d30a79a4d3bbb59284d68331b5735c705cf73e155cf3a42b01ef5cd7219c72c242eed6b711090066537

Download Submit
\Users\Admin\AppData\Local\Temp\dm.dll

Filesize
3.6MB

MD5
434ae2cc38a273b4068cbd59b2596009

SHA1
64e7ba77119c34280d04554d71c7c467c201bfc4

SHA256
a3487289da617e34a779866c9117e7da7f7799356ad6e5394405a55d20258dc2

SHA512
818c8ae6bee43ac5c4f6d33d1d21ac3bd7a7133aafb25c0f793129706273138051ba847da90a033dcfbfda08c44d22efd2923b277da377883792fc69de95ca90

Download Submit
memory/2564-76-0x0000000002AB0000-0x0000000002ABA000-memory.dmp

Filesize
40KB

Download
memory/2564-79-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-59-0x00000000778CF000-0x00000000778D0000-memory.dmp

Filesize
4KB

Download
memory/2564-64-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2564-63-0x00000000778B0000-0x0000000077A30000-memory.dmp

Filesize
1.5MB

Download
memory/2564-61-0x00000000778B0000-0x0000000077A30000-memory.dmp

Filesize
1.5MB

Download
memory/2564-67-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-68-0x0000000002FF0000-0x000000000380B000-memory.dmp

Filesize
8.1MB

Download
memory/2564-78-0x0000000003810000-0x000000000410A000-memory.dmp

Filesize
9.0MB

Download
memory/2564-70-0x00000000020B0000-0x00000000020B2000-memory.dmp

Filesize
8KB

Download
memory/2564-71-0x00000000020D0000-0x00000000020E6000-memory.dmp

Filesize
88KB

Download
memory/2564-73-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2564-74-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-75-0x0000000002AB0000-0x0000000002ABA000-memory.dmp

Filesize
40KB

Download
memory/2564-60-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2564-62-0x00000000778CF000-0x00000000778D0000-memory.dmp

Filesize
4KB

Download
memory/2564-69-0x0000000003810000-0x000000000410A000-memory.dmp

Filesize
9.0MB

Download
memory/2564-77-0x0000000002FF0000-0x000000000380B000-memory.dmp

Filesize
8.1MB

Download
memory/2564-80-0x00000000020D0000-0x00000000020E6000-memory.dmp

Filesize
88KB

Download
memory/2564-81-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-82-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-83-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-84-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-85-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-86-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-87-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-88-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-89-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-90-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-91-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-92-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download
memory/2564-93-0x0000000002B00000-0x0000000002FE2000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads