0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0

General

Target

0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe
Size

14.7MB
MD5

7b2737f883ec7c0792c89d2fe10ba959
SHA1

7323ee90384b973ab769d3cdce0297eb2c5ea95d
SHA256

0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0
SHA512

30b24b71fd0a849f4fc681645c2e4caf7c977bfbde608f4ef61af5bc37be54b82fe931112f759d41c8d5f85a309b1d481a2f63c53e309a4a0ba19424915ec87d
SSDEEP

393216:D0cC0/d4u1ffRPYdm79OHgnq6ayJ66R4UMB1ZM4Fn9qv:D0c7fhYchOAqzyc67M1Zt9qv

Score

7^/10

bootkit persistence upx vmprotect

Malware Config

Signatures

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-11-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-49-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-53-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/224-60-0x0000000010000000-0x000000001003E000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/224-5-0x0000000000400000-0x000000000190D000-memory.dmp	vmprotect
behavioral2/memory/224-33-0x0000000000400000-0x000000000190D000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
224	0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe
224	0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe
224	0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe
224	0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
224	0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe
224	0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe
224	0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe

C:\Users\Admin\AppData\Local\Temp\0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe
"C:\Users\Admin\AppData\Local\Temp\0d6d513acdade5762567ab7d40ea71846185b8e5c756ca241bdc0720188886b0.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/224-0-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/224-1-0x0000000001AD0000-0x0000000001AD1000-memory.dmp

Filesize
4KB

Download
memory/224-2-0x0000000001AE0000-0x0000000001AE1000-memory.dmp

Filesize
4KB

Download
memory/224-3-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/224-5-0x0000000000400000-0x000000000190D000-memory.dmp

Filesize
21.1MB

Download
memory/224-4-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/224-6-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/224-7-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/224-11-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-33-0x0000000000400000-0x000000000190D000-memory.dmp

Filesize
21.1MB

Download
memory/224-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-49-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-53-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/224-60-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads