e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25

General

Target

e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe
Size

4.5MB
MD5

a798d94af1e9ad9d436f5ed147a7b0e6
SHA1

adb6810d613e17528063335eb13c2bc86e5c78bf
SHA256

e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25
SHA512

b0f6c3d5d74c86f165e9ab5e4360de4ec0de1e58a5fad1e5f5507fcfdd24fd54c502dfa491ce014b17c65ef36b9282f81cb02f6c8e260b2fde0fe2eac752647c
SSDEEP

98304:ZUQn8B7fY8xBYtSR7Xymxp7xM0flTvr+DhsbXMRlcm5sKeXJSFkUvNbHT7ZMkVbN:nifY8nY0gU7xMKb7MeSFkO1McN

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00020000000224f3-18.dat	acprotect
behavioral2/files/0x00020000000224f3-16.dat	acprotect
behavioral2/files/0x00020000000224f3-21.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
1428	e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe
1428	e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe
1428	e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00020000000224f3-18.dat	upx
behavioral2/files/0x00020000000224f3-16.dat	upx
behavioral2/memory/1428-20-0x00000000041E0000-0x00000000046C2000-memory.dmp	upx
behavioral2/files/0x00020000000224f3-21.dat	upx
behavioral2/memory/1428-22-0x00000000041E0000-0x00000000046C2000-memory.dmp	upx
behavioral2/memory/1428-29-0x00000000041E0000-0x00000000046C2000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1428	e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe
1428	e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe

C:\Users\Admin\AppData\Local\Temp\e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe
"C:\Users\Admin\AppData\Local\Temp\e50f2fd753ef99afa2a74127635d9760b42dd49c11e9c0ef247e50c326a9ab25.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\xr\xr.dll

Filesize
3.6MB

MD5
c4ed2637b461f73c5f40ce3a66cc6a75

SHA1
4c0640598f82bc6facce4b2bbda79ca67fd252db

SHA256
5ebb9ac8c9a3c0a0d9f86875b628deaf4110eccb58602ff29490427155eb6600

SHA512
10ceb52ea039145676e9c97722b077f09c0cf59ce156872b69a3b856425534491ef3e57c4d363a9c3b4ad1d5114f2d226c87e585880437fbb83cc6b911a1c6fc

Download Submit
C:\xr\xr.dll

Filesize
3.6MB

MD5
c4ed2637b461f73c5f40ce3a66cc6a75

SHA1
4c0640598f82bc6facce4b2bbda79ca67fd252db

SHA256
5ebb9ac8c9a3c0a0d9f86875b628deaf4110eccb58602ff29490427155eb6600

SHA512
10ceb52ea039145676e9c97722b077f09c0cf59ce156872b69a3b856425534491ef3e57c4d363a9c3b4ad1d5114f2d226c87e585880437fbb83cc6b911a1c6fc

Download Submit
C:\xr\xr.dll

Filesize
3.6MB

MD5
c4ed2637b461f73c5f40ce3a66cc6a75

SHA1
4c0640598f82bc6facce4b2bbda79ca67fd252db

SHA256
5ebb9ac8c9a3c0a0d9f86875b628deaf4110eccb58602ff29490427155eb6600

SHA512
10ceb52ea039145676e9c97722b077f09c0cf59ce156872b69a3b856425534491ef3e57c4d363a9c3b4ad1d5114f2d226c87e585880437fbb83cc6b911a1c6fc

Download Submit
C:\xr\xrreg.dll

Filesize
52KB

MD5
fdc8b75a37017141831e3421479307be

SHA1
f6a08cc570d5e5bc4218da376ca353d46d62790d

SHA256
2a37ce301490bd4b7c5d02b768b054705fe4620db6ef81061718c1fe89c9f27e

SHA512
d74e2de28523317c928965affa464cef6ba5c4da9ab05d30a79a4d3bbb59284d68331b5735c705cf73e155cf3a42b01ef5cd7219c72c242eed6b711090066537

Download Submit
memory/1428-12-0x0000000077593000-0x0000000077594000-memory.dmp

Filesize
4KB

Download
memory/1428-24-0x0000000004EF0000-0x00000000057EA000-memory.dmp

Filesize
9.0MB

Download
memory/1428-11-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1428-10-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1428-13-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1428-14-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1428-15-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1428-7-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/1428-8-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1428-20-0x00000000041E0000-0x00000000046C2000-memory.dmp

Filesize
4.9MB

Download
memory/1428-6-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1428-22-0x00000000041E0000-0x00000000046C2000-memory.dmp

Filesize
4.9MB

Download
memory/1428-23-0x00000000046D0000-0x0000000004EEB000-memory.dmp

Filesize
8.1MB

Download
memory/1428-9-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1428-25-0x0000000002F10000-0x0000000002F12000-memory.dmp

Filesize
8KB

Download
memory/1428-26-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1428-28-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1428-29-0x00000000041E0000-0x00000000046C2000-memory.dmp

Filesize
4.9MB

Download
memory/1428-30-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/1428-33-0x00000000046D0000-0x0000000004EEB000-memory.dmp

Filesize
8.1MB

Download
memory/1428-32-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1428-34-0x0000000077592000-0x0000000077593000-memory.dmp

Filesize
4KB

Download
memory/1428-35-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1428-37-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/1428-38-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1428-36-0x0000000004EF0000-0x00000000057EA000-memory.dmp

Filesize
9.0MB

Download
memory/1428-39-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads