d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587

Analysis

max time kernel
142s
max time network
148s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08/10/2023, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe
Size

1.8MB
MD5

876d8e9450a25a925b6c37c8d9a5544c
SHA1

8680fbe98d8637e55c5f7a642cc1351897713acc
SHA256

d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587
SHA512

3f63dcce478b0f4f0b87f47221559725a78288eea1baa7fcd8bb840ffe871a502984821bb541bba3986301c852531175faa133414f105b44e6c51eee1439903c
SSDEEP

49152:IEUNNP7hW72ok8+plCeS4HyUWm1rIDhFUaAAUfEN:vUDP1Yk8+plCeS4SUWWq2fK

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2544	Bugreport-524788.dll

Loads dropped DLL 3 IoCs

pid	Process
3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe
3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe
3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3004-0-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-5-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-6-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-8-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-11-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-16-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-14-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-23-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-21-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-25-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-19-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-27-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-28-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-32-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-36-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-38-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-40-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-34-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-30-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-42-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-44-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-48-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-52-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-50-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-46-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-54-0x0000000002A60000-0x0000000002AD2000-memory.dmp	upx
behavioral1/memory/3004-53-0x0000000002A60000-0x0000000002AD2000-memory.dmp	upx
behavioral1/memory/3004-57-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3004-58-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-59-0x0000000002A60000-0x0000000002AD2000-memory.dmp	upx
behavioral1/memory/3004-93-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-94-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-95-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-96-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-97-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-99-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-100-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-101-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-104-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-105-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-106-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-107-0x0000000000400000-0x00000000008C4200-memory.dmp	upx
behavioral1/memory/3004-108-0x0000000000400000-0x00000000008C4200-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe
3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe
3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe
3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe
3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe
2544	Bugreport-524788.dll

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2544	3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe	30
PID 3004 wrote to memory of 2544	3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe	30
PID 3004 wrote to memory of 2544	3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe	30
PID 3004 wrote to memory of 2544	3004	NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d80f99cebf322fede82c9af0a4256847fde40b563272947835b0f61d806f6587_JC.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524788.dll
  C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524788.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E7%A9%BA%E9%97%B4%E8%AE%BF%E5%AE%A2%E6%BC%AB%E6%B8%B8%E6%8F%90%20
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524788.dll

Filesize
168KB

MD5
6b077fdc29c308315a9074648ae69e3b

SHA1
1ddeb23665c57612b101015c309523ed1da0591f

SHA256
60a99e9bceedf431516ede734c8f5913ffea01ad083b98265f87bbf69ded00ee

SHA512
80f815513c460e99bc819279edb3118c61df7922635550ad3906f93a2bdf256ba8116283ac78d03aea8220eb0cab736557becdb9ea94398c4291717b7b7efc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524788.dll

Filesize
168KB

MD5
6b077fdc29c308315a9074648ae69e3b

SHA1
1ddeb23665c57612b101015c309523ed1da0591f

SHA256
60a99e9bceedf431516ede734c8f5913ffea01ad083b98265f87bbf69ded00ee

SHA512
80f815513c460e99bc819279edb3118c61df7922635550ad3906f93a2bdf256ba8116283ac78d03aea8220eb0cab736557becdb9ea94398c4291717b7b7efc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

Filesize
113B

MD5
69f3f5fda6387d7d19f8a486180ffcd1

SHA1
2576e5cd25771be2f8700de361f673a2ac63944d

SHA256
7a178b1f21431fb9234336d801f42c73acab731cc708b9cce14bf61b674872cc

SHA512
6e91226b9c4d453c330a94f3958ecd90a44a198ae65104f9d98f6e0cbe83d17caa129a9645e0272f11f83e46f87cf98a4872b89e1c649e0b30b7f57461cf0f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

Filesize
133B

MD5
2c634b340f2f10edf87c5dd9e62e646a

SHA1
0a61bd0dbba9ace2f8813eb31768d8542b9e08ee

SHA256
e57191c974448b791585f7f4576fc119ad92e921d4235ddf08d94e592e1dd796

SHA512
806c4b4e4d0de837e3c1d527ab6a70563bfa410e8b4a34b85721552413b19f8d11c38fe3b319484fba3ca5fabac5c4c37c3c89a6fb9d2b68c9e4ff783a263b4f

Download Submit
\Users\Admin\AppData\Local\Temp\data\Bugreport-524788.dll

Filesize
168KB

MD5
6b077fdc29c308315a9074648ae69e3b

SHA1
1ddeb23665c57612b101015c309523ed1da0591f

SHA256
60a99e9bceedf431516ede734c8f5913ffea01ad083b98265f87bbf69ded00ee

SHA512
80f815513c460e99bc819279edb3118c61df7922635550ad3906f93a2bdf256ba8116283ac78d03aea8220eb0cab736557becdb9ea94398c4291717b7b7efc9d

Download Submit
\Users\Admin\AppData\Local\Temp\data\Bugreport-524788.dll

Filesize
168KB

MD5
6b077fdc29c308315a9074648ae69e3b

SHA1
1ddeb23665c57612b101015c309523ed1da0591f

SHA256
60a99e9bceedf431516ede734c8f5913ffea01ad083b98265f87bbf69ded00ee

SHA512
80f815513c460e99bc819279edb3118c61df7922635550ad3906f93a2bdf256ba8116283ac78d03aea8220eb0cab736557becdb9ea94398c4291717b7b7efc9d

Download Submit
\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

Filesize
724KB

MD5
a96fbd5e66b31f3d816ad80f623e9bd9

SHA1
4eda42260bd3eb930cd4eafd7d15c6af367bcf18

SHA256
2e67ba278646fde95bb614dcbcc7da1c6bf7976c918b2c6ad3d78640000326f3

SHA512
43921107313775ea14b1bd33cf758c13798f4fa1c1074771c1c96b1b43b98f3416d249ed8ab3171383772d0054829c3754a91b5e94135f1df6d67a76f599c80e

Download Submit
memory/2544-75-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3004-52-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-54-0x0000000002A60000-0x0000000002AD2000-memory.dmp

Filesize
456KB

Download
memory/3004-11-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-16-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-14-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-23-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-21-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-25-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-19-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-27-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-28-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-32-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-36-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-38-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-40-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-34-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-30-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-42-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-44-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-48-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-50-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-46-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-53-0x0000000002A60000-0x0000000002AD2000-memory.dmp

Filesize
456KB

Download
memory/3004-57-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-58-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-59-0x0000000002A60000-0x0000000002AD2000-memory.dmp

Filesize
456KB

Download
memory/3004-72-0x00000000042D0000-0x0000000004309000-memory.dmp

Filesize
228KB

Download
memory/3004-6-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-5-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3004-0-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-74-0x00000000042D0000-0x0000000004309000-memory.dmp

Filesize
228KB

Download
memory/3004-93-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-94-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-95-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-96-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-97-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-99-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-100-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-101-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-102-0x00000000042D0000-0x0000000004309000-memory.dmp

Filesize
228KB

Download
memory/3004-103-0x00000000042D0000-0x0000000004309000-memory.dmp

Filesize
228KB

Download
memory/3004-104-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-105-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-106-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-107-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download
memory/3004-108-0x0000000000400000-0x00000000008C4200-memory.dmp

Filesize
4.8MB

Download