b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 18:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe
Size

12.2MB
MD5

e1a9feb113902f6ca3b34f8fda0ce9e5
SHA1

148586c97ae802f3cbb72cec0ce49bb84eac4e9e
SHA256

b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd
SHA512

06b37fdcb1e70b79b59681f4591b2cbe5b06cc4edf8058027255c629ff4f730dff486ca30599caf968d446b6f317d00a2a1ea9489871896c1f06d690dd95d467
SSDEEP

196608:PONsv97d2yOyiWNDOCjOMcmef7aZ9hR1M7/bOCz+68Hy+uU1q7RLW8im4/LKCm/7:P+s3qjW5qKefw7R1M7TOCzdMsyLKCmz

Score

10^/10

bootkit persistence upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
49.235.120.125
Port:
21
Username:
geqian
Password:
Liu382818

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000018de5-18.dat	acprotect
behavioral1/files/0x0006000000018de5-966.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2364	7za.exe

Loads dropped DLL 3 IoCs

pid	Process
3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe
3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe
3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018de5-18.dat	upx
behavioral1/memory/3044-910-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-913-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-914-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-912-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-915-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-920-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-918-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-916-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-922-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-924-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-926-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-928-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-931-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-935-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-933-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-938-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-940-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-944-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-947-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-942-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-949-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-952-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-954-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-957-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-959-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-961-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/memory/3044-962-0x0000000004480000-0x00000000044BE000-memory.dmp	upx
behavioral1/files/0x0006000000018de5-966.dat	upx
behavioral1/memory/3044-968-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-975-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-985-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-987-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-988-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-989-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-990-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-991-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-992-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-993-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-994-0x0000000004D60000-0x0000000005227000-memory.dmp	upx
behavioral1/memory/3044-995-0x0000000004D60000-0x0000000005227000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2364	7za.exe
Token: 35	2364	7za.exe
Token: SeSecurityPrivilege	2364	7za.exe
Token: SeSecurityPrivilege	2364	7za.exe
Token: SeDebugPrivilege	3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe
3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe
3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe
3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2364	3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe	34
PID 3044 wrote to memory of 2364	3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe	34
PID 3044 wrote to memory of 2364	3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe	34
PID 3044 wrote to memory of 2364	3044	b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe	34

C:\Users\Admin\AppData\Local\Temp\b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe
"C:\Users\Admin\AppData\Local\Temp\b508bc3b8c31e68f91367c24bb19984237be22dab417af80f541e002959a53dd.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\lGnDm\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\lGnDm\7za.exe" x -aoa "C:\Users\Admin\Desktop\Í¼±ê.zip" -o"C:\Users\Admin\Desktop\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dm.dll

Filesize
3.2MB

MD5
660e9b1c62395179395401aab5bd8232

SHA1
dd38d01cd58302161f41cea7731eac242ddc7e54

SHA256
9505d0b7337876295cd5926d4284ab4204d7fac5eb55753effadce309aaad8cf

SHA512
dbe163db0cfefb64b56ec1e4f50739b04b96a9a0ddf720caa14bd540a9cf60966fdd33c094e53d926adb995075aa0590713e920389e854c30478d90c8f323f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGnDm\7za.exe

Filesize
716KB

MD5
744d0e63bcb20438dd3efcd764503490

SHA1
4e9d49a41201e25cf56658578b23f7384a13dc6d

SHA256
77613cca716edf68b9d5bab951463ed7fade5bc0ec465b36190a76299c50f117

SHA512
f501a5375a30254f007c86f1881fa0136fe29f6213b9ed79cfa7f4b7e6b698eb3f7d7c88ffb3e68a66d548e58953158a8354883c3a772b0334ffab4acd9b0067

Download Submit
C:\Users\Admin\Desktop\Í¼±ê.zip

Filesize
2.9MB

MD5
7f86bd9d84222f05462ef2ecb0b2b2ac

SHA1
c57c2700559928b1561b7b0154e5c99c2cba66fd

SHA256
022f52c7bba979a680c5b125224daa2a5eeee8d773467a50a28bfd8b57efd337

SHA512
46aa6a7f65141b90044b72e3788cbe21158bfae2854f45feb3e541eb1ccdb1227dad447aedc2ea935c0049e7b7d92e12145d4a04a7bba08f2641a2a70819a7b1

Download Submit
C:\Users\Admin\Desktop\×ø±ê.txt

Filesize
8B

MD5
7bb0edd98f22430a03b67f853e83c2ca

SHA1
8882632b7f0dffa4d723ab9cf17bedb55690ba5b

SHA256
8b6fa01313ce51afc09e610f819250da501778ad363cba4f9e312a6ec823d42a

SHA512
e39e5fa91794c9d7527313433dccf7c4ecc0eac562674eb6ee9b6e30434c92d3350bf6d9ff7a299c143423ed74931975dd16df761d8f0cb75b587c484b5463ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegDm.dll

Filesize
52KB

MD5
fdc8b75a37017141831e3421479307be

SHA1
f6a08cc570d5e5bc4218da376ca353d46d62790d

SHA256
2a37ce301490bd4b7c5d02b768b054705fe4620db6ef81061718c1fe89c9f27e

SHA512
d74e2de28523317c928965affa464cef6ba5c4da9ab05d30a79a4d3bbb59284d68331b5735c705cf73e155cf3a42b01ef5cd7219c72c242eed6b711090066537

Download Submit
\Users\Admin\AppData\Local\Temp\dm.dll

Filesize
3.2MB

MD5
660e9b1c62395179395401aab5bd8232

SHA1
dd38d01cd58302161f41cea7731eac242ddc7e54

SHA256
9505d0b7337876295cd5926d4284ab4204d7fac5eb55753effadce309aaad8cf

SHA512
dbe163db0cfefb64b56ec1e4f50739b04b96a9a0ddf720caa14bd540a9cf60966fdd33c094e53d926adb995075aa0590713e920389e854c30478d90c8f323f70

Download Submit
\Users\Admin\AppData\Local\Temp\lGnDm\7za.exe

Filesize
716KB

MD5
744d0e63bcb20438dd3efcd764503490

SHA1
4e9d49a41201e25cf56658578b23f7384a13dc6d

SHA256
77613cca716edf68b9d5bab951463ed7fade5bc0ec465b36190a76299c50f117

SHA512
f501a5375a30254f007c86f1881fa0136fe29f6213b9ed79cfa7f4b7e6b698eb3f7d7c88ffb3e68a66d548e58953158a8354883c3a772b0334ffab4acd9b0067

Download Submit
memory/3044-947-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-5-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3044-12-0x00000000002F0000-0x00000000002FF000-memory.dmp

Filesize
60KB

Download
memory/3044-10-0x0000000077D0F000-0x0000000077D10000-memory.dmp

Filesize
4KB

Download
memory/3044-16-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/3044-4-0x0000000077D0F000-0x0000000077D10000-memory.dmp

Filesize
4KB

Download
memory/3044-13-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3044-17-0x0000000077D0F000-0x0000000077D10000-memory.dmp

Filesize
4KB

Download
memory/3044-24-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/3044-910-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-913-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-914-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-912-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-915-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-920-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-918-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-916-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-922-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-924-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-926-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-928-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-931-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-935-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-933-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-938-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-940-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-944-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-6-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3044-942-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-949-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-7-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3044-952-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-988-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-959-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-961-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-962-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-954-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-968-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-969-0x0000000005230000-0x0000000005A4B000-memory.dmp

Filesize
8.1MB

Download
memory/3044-970-0x0000000005A50000-0x000000000634A000-memory.dmp

Filesize
9.0MB

Download
memory/3044-971-0x0000000002E50000-0x0000000002E52000-memory.dmp

Filesize
8KB

Download
memory/3044-972-0x00000000044C0000-0x00000000044D5000-memory.dmp

Filesize
84KB

Download
memory/3044-974-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3044-975-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-976-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/3044-977-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/3044-978-0x0000000005230000-0x0000000005A4B000-memory.dmp

Filesize
8.1MB

Download
memory/3044-981-0x0000000005A50000-0x000000000634A000-memory.dmp

Filesize
9.0MB

Download
memory/3044-982-0x00000000044C0000-0x00000000044D5000-memory.dmp

Filesize
84KB

Download
memory/3044-983-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/3044-984-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/3044-985-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-986-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/3044-987-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-957-0x0000000004480000-0x00000000044BE000-memory.dmp

Filesize
248KB

Download
memory/3044-989-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-990-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-991-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-992-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-993-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-994-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download
memory/3044-995-0x0000000004D60000-0x0000000005227000-memory.dmp

Filesize
4.8MB

Download