4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e

General

Target

4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe
Size

15.6MB
MD5

e1dff9e42c375d80285a304c170d3547
SHA1

5589394db60420b1f0c705c2702cb75ff3eb115b
SHA256

4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e
SHA512

b72f09369e36ba74d52715ba9dd06b1fcf23db3aa52d84ee7fa537e9b0045481947941c7073d4b4124e9e69d9c8e6032fbb4eface90b541a4741a9add8a49194
SSDEEP

393216:8sKhx5c+mJ4gFJBef1FdX8BELMuTuWjV4qkzS/o1:8d6X4gFJcfNX8ANJk11

Score

7^/10

bootkit persistence upx vmprotect

Malware Config

Signatures

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4808-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-147-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-148-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-149-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-150-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-153-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-156-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-159-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-162-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-164-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-166-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-169-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-171-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-173-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-175-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-177-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-179-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-181-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-183-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-185-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-187-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-189-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-191-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-193-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-195-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4808-196-0x0000000010000000-0x000000001003E000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4808-138-0x0000000000400000-0x0000000001905000-memory.dmp	vmprotect
behavioral2/memory/4808-167-0x0000000000400000-0x0000000001905000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4808	4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe
4808	4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe
4808	4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe
4808	4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4808	4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe
4808	4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe
4808	4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe

C:\Users\Admin\AppData\Local\Temp\4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe
"C:\Users\Admin\AppData\Local\Temp\4d966cda6915099e786227f4b45b54061a5c812d60b928e31f6adb0c31673d3e.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4808-133-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/4808-134-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/4808-136-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/4808-135-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/4808-138-0x0000000000400000-0x0000000001905000-memory.dmp

Filesize
21.0MB

Download
memory/4808-137-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/4808-140-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/4808-139-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/4808-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-147-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-148-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-149-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-153-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-156-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-159-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-162-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-164-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-167-0x0000000000400000-0x0000000001905000-memory.dmp

Filesize
21.0MB

Download
memory/4808-166-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-169-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-171-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-173-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-175-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-177-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-179-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-181-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-183-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-185-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-187-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-189-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-191-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-193-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-195-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4808-196-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads