0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520

General

Target

0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe
Size

4.0MB
MD5

612a9fced103da63701ed02174291067
SHA1

bfb3d2ffb519c133add767176581080fa6353211
SHA256

0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520
SHA512

f5a76ec1350ed10d15ea0a20f97a6a316c3b45358af8744b32af8339441e41150107b2c4bbd694ea6a6fa2e2d02092609eb6330d0eba0cd427ee5c8ebc7d4c16
SSDEEP

98304:4odaCv+8Fhuhju8so6/O2PHyVpooHGL4ygj3vAs6+:lDhPJ8NSHdoH8W3vAS

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000231e2-142.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1848	0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231e2-142.dat	upx
behavioral2/memory/1848-144-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-151-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-153-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-155-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-156-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-157-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-158-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-159-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-160-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-161-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-162-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-163-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-166-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-167-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-168-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/1848-169-0x0000000010000000-0x00000000102D5000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?knjx919545505"	0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1848	0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1848	0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe
1848	0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe

C:\Users\Admin\AppData\Local\Temp\0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe
"C:\Users\Admin\AppData\Local\Temp\0e9f60222009e30262f95b19409043181c1f1385c6f719e7d4b024d9a894d520.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dm.dll

Filesize
2.2MB

MD5
acaf36d6b9fa9aa3f7ba9be68f866c28

SHA1
82b5a9fd6fa94d1e21036db9bc1843f55e7f55f1

SHA256
44ad8beaa498c520f0bbb793ecc51b2b9566ba85a46c4cf5ebf6014b0b91c16c

SHA512
bb393831048f8f71eac3a6628d9b330d1e8f129dba35f264ae650d1543bdc8e01fb0f3b7eb9bcb4181c918a49ca49e6fd2d82663bb2ec8795c0b04233942d4b9

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
149e945447652d53523603df62921e37

SHA1
602bf9599410c5787168957938579ec071eea97a

SHA256
8faeec9118a4e7f2126c9114968cbb194676bca81dc2b2a98368845dfe9d9bb7

SHA512
59b40fdae9866ada070bb6a7827668977ff28731a3e5b0c7d332144d1b75d0567b930fb499ea2017faa017f3407e2b65a70b46bc5d9f76d0be3a96a39f65cf28

Download Submit
memory/1848-156-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-157-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-147-0x0000000076850000-0x00000000768E6000-memory.dmp

Filesize
600KB

Download
memory/1848-148-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/1848-149-0x0000000072D30000-0x0000000073180000-memory.dmp

Filesize
4.3MB

Download
memory/1848-151-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-152-0x0000000003700000-0x000000000370C000-memory.dmp

Filesize
48KB

Download
memory/1848-153-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-154-0x0000000072D30000-0x0000000073180000-memory.dmp

Filesize
4.3MB

Download
memory/1848-158-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-144-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-140-0x0000000003700000-0x000000000370C000-memory.dmp

Filesize
48KB

Download
memory/1848-155-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-159-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-160-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-161-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-162-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-163-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-166-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-167-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-168-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1848-169-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads