bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2

Analysis

max time kernel
141s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05/10/2023, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe
Size

7.7MB
MD5

c0cc69db2db4bb54b9a61f7187adcc6c
SHA1

b41280b638b062311d1dd1dd9a702031ff6f228c
SHA256

bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2
SHA512

1f71bafa3791d1202edd92bbdee3fe11bc25df55fa0ad6abf6a0cad954c03583d68d62450bd012e896f8c4b42e7db28b0100673f3e1a6f2a8ca4f5a94241cb1e
SSDEEP

98304:XyR58r6s2MmrYfIcvxHTK0pFA49iHKTX8xFsWMZzifvHX9eYzbHWk4qWaFhJhSGF:XRr6s3FxH+0pFAHqokv69hs+IIczZ8cu

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00040000000130e5-11.dat	acprotect
behavioral1/files/0x00060000000056e2-22.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
2792	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe
2792	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe
2792	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00040000000130e5-11.dat	upx
behavioral1/memory/2792-13-0x0000000003800000-0x0000000003CE2000-memory.dmp	upx
behavioral1/files/0x00060000000056e2-22.dat	upx
behavioral1/memory/2792-30-0x0000000003800000-0x0000000003CE2000-memory.dmp	upx
behavioral1/memory/2792-44-0x0000000003800000-0x0000000003CE2000-memory.dmp	upx
behavioral1/memory/2792-54-0x0000000003800000-0x0000000003CE2000-memory.dmp	upx
behavioral1/memory/2792-60-0x0000000003800000-0x0000000003CE2000-memory.dmp	upx
behavioral1/memory/2792-62-0x0000000003800000-0x0000000003CE2000-memory.dmp	upx
behavioral1/memory/2792-65-0x0000000003800000-0x0000000003CE2000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe
Token: SeDebugPrivilege	2792	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2792	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe
2792	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe
2792	bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe

C:\Users\Admin\AppData\Local\Temp\bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe
"C:\Users\Admin\AppData\Local\Temp\bd9a19ba579a9b4cd49be45ec23f102f2fa925e1f55fa03e161a244c9a7d42c2.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\test_game\dm.dll

Filesize
3.7MB

MD5
9fc92bbf7571c4bb87b66e2568020409

SHA1
6e4397a7b400300c290d02384aff0316abd05050

SHA256
ff02150249c62b8435421dd4a1a35c7c536eab2aba6c55a3b5d3e0eb22121f80

SHA512
5c255facff05b1c664125da3e40bc4d8f8f8089234cd8e96009f6d7fd75de8d9fb72b457fe03600f55b1ce4a7c5063a9f20ace76bda151f52fa2dc7951fc33ea

Download Submit
\Users\Admin\AppData\Local\Temp\RegDm.dll

Filesize
52KB

MD5
fdc8b75a37017141831e3421479307be

SHA1
f6a08cc570d5e5bc4218da376ca353d46d62790d

SHA256
2a37ce301490bd4b7c5d02b768b054705fe4620db6ef81061718c1fe89c9f27e

SHA512
d74e2de28523317c928965affa464cef6ba5c4da9ab05d30a79a4d3bbb59284d68331b5735c705cf73e155cf3a42b01ef5cd7219c72c242eed6b711090066537

Download Submit
\Users\Admin\AppData\Local\Temp\dm.dll

Filesize
3.7MB

MD5
9fc92bbf7571c4bb87b66e2568020409

SHA1
6e4397a7b400300c290d02384aff0316abd05050

SHA256
ff02150249c62b8435421dd4a1a35c7c536eab2aba6c55a3b5d3e0eb22121f80

SHA512
5c255facff05b1c664125da3e40bc4d8f8f8089234cd8e96009f6d7fd75de8d9fb72b457fe03600f55b1ce4a7c5063a9f20ace76bda151f52fa2dc7951fc33ea

Download Submit
\test_game\DmReg.dll

Filesize
52KB

MD5
fdc8b75a37017141831e3421479307be

SHA1
f6a08cc570d5e5bc4218da376ca353d46d62790d

SHA256
2a37ce301490bd4b7c5d02b768b054705fe4620db6ef81061718c1fe89c9f27e

SHA512
d74e2de28523317c928965affa464cef6ba5c4da9ab05d30a79a4d3bbb59284d68331b5735c705cf73e155cf3a42b01ef5cd7219c72c242eed6b711090066537

Download Submit
memory/2792-37-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-7-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2792-10-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2792-8-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2792-13-0x0000000003800000-0x0000000003CE2000-memory.dmp

Filesize
4.9MB

Download
memory/2792-14-0x0000000003CF0000-0x000000000450B000-memory.dmp

Filesize
8.1MB

Download
memory/2792-15-0x0000000004510000-0x0000000004E0A000-memory.dmp

Filesize
9.0MB

Download
memory/2792-16-0x0000000002620000-0x0000000002622000-memory.dmp

Filesize
8KB

Download
memory/2792-17-0x00000000025A0000-0x00000000025B6000-memory.dmp

Filesize
88KB

Download
memory/2792-19-0x0000000076F50000-0x00000000770D0000-memory.dmp

Filesize
1.5MB

Download
memory/2792-20-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/2792-9-0x0000000076F6F000-0x0000000076F70000-memory.dmp

Filesize
4KB

Download
memory/2792-21-0x0000000003F90000-0x0000000003F9A000-memory.dmp

Filesize
40KB

Download
memory/2792-24-0x0000000003F90000-0x0000000003F9A000-memory.dmp

Filesize
40KB

Download
memory/2792-6-0x0000000076F50000-0x00000000770D0000-memory.dmp

Filesize
1.5MB

Download
memory/2792-26-0x00000000040D0000-0x00000000040DF000-memory.dmp

Filesize
60KB

Download
memory/2792-30-0x0000000003800000-0x0000000003CE2000-memory.dmp

Filesize
4.9MB

Download
memory/2792-29-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/2792-33-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-38-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-35-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-5-0x0000000076F6F000-0x0000000076F70000-memory.dmp

Filesize
4KB

Download
memory/2792-36-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-39-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-34-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-40-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-31-0x0000000076F6F000-0x0000000076F70000-memory.dmp

Filesize
4KB

Download
memory/2792-41-0x0000000003CF0000-0x000000000450B000-memory.dmp

Filesize
8.1MB

Download
memory/2792-42-0x0000000004510000-0x0000000004E0A000-memory.dmp

Filesize
9.0MB

Download
memory/2792-43-0x0000000002620000-0x0000000002622000-memory.dmp

Filesize
8KB

Download
memory/2792-44-0x0000000003800000-0x0000000003CE2000-memory.dmp

Filesize
4.9MB

Download
memory/2792-45-0x00000000025A0000-0x00000000025B6000-memory.dmp

Filesize
88KB

Download
memory/2792-47-0x0000000003F90000-0x0000000003F9A000-memory.dmp

Filesize
40KB

Download
memory/2792-46-0x0000000003F90000-0x0000000003F9A000-memory.dmp

Filesize
40KB

Download
memory/2792-49-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-50-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-52-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-53-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-51-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-48-0x0000000004130000-0x0000000004170000-memory.dmp

Filesize
256KB

Download
memory/2792-54-0x0000000003800000-0x0000000003CE2000-memory.dmp

Filesize
4.9MB

Download
memory/2792-60-0x0000000003800000-0x0000000003CE2000-memory.dmp

Filesize
4.9MB

Download
memory/2792-62-0x0000000003800000-0x0000000003CE2000-memory.dmp

Filesize
4.9MB

Download
memory/2792-65-0x0000000003800000-0x0000000003CE2000-memory.dmp

Filesize
4.9MB

Download