bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc

Analysis

max time kernel
143s
max time network
165s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 11:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
Size

1.6MB
MD5

d717c4042e527594b9922a9654f1cdad
SHA1

58a13b3ee45bc0fa2324816d2b5decf31708bf69
SHA256

bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc
SHA512

5ba9c553b83a594f4f68875767f8a233c0ecc089c050269c267563b702763d2ae24e7dcd7b8714fa614cd5da9431a135cb87cb548ec340e4c7af537224a28ea2
SSDEEP

49152:/FP/WJsX3duehq6M+0Fi3C48J/tkYOXTnRgoQ/7/TyfkaRtg:kJG3oehxH04S48J/tkYOXTnuoQz2fd

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	Bugreport-262408.dll

Loads dropped DLL 3 IoCs

pid	Process
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1164-0-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-5-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-6-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-8-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-9-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-11-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-13-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-15-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-17-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-19-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-21-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-23-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-25-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-27-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-29-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-31-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-33-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-35-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-37-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-39-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-41-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-43-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-45-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-47-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-49-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-51-0x0000000002990000-0x0000000002A02000-memory.dmp	upx
behavioral1/memory/1164-50-0x0000000002990000-0x0000000002A02000-memory.dmp	upx
behavioral1/memory/1164-52-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1164-55-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-56-0x0000000002990000-0x0000000002A02000-memory.dmp	upx
behavioral1/memory/1164-57-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-59-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-62-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-65-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-106-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-107-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-108-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-109-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-110-0x0000000000400000-0x000000000086C000-memory.dmp	upx
behavioral1/memory/1164-111-0x0000000000400000-0x000000000086C000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
1924	Bugreport-262408.dll

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1924	1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe	32
PID 1164 wrote to memory of 1924	1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe	32
PID 1164 wrote to memory of 1924	1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe	32
PID 1164 wrote to memory of 1924	1164	bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe	32

C:\Users\Admin\AppData\Local\Temp\bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe
"C:\Users\Admin\AppData\Local\Temp\bb854bcec3c2fa45999a21f44cfb64f15971ab4f9fb92c05a46e30f969c289cc.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262408.dll
  C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262408.dll Bugreport %E6%89%B9%E9%87%8F%E8%AF%B4%20
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262408.dll

Filesize
168KB

MD5
df3f47c7b0e47088fcfb374c56029dd3

SHA1
a99bfbfa23730daf6e95c69aa04ca8155eae4f49

SHA256
a8dca3b6bd75c077aca0a46a77f5e99f43567c53a7e999b7ca5db07c79bcacc2

SHA512
a194867b4c9cb54081d222f665da30229ed388dd6d966df51686f4af7cca12acde9364706aadf283b77e6b14d6da5d9029a89f3050c4e129b0dfc499654f9730

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262408.dll

Filesize
168KB

MD5
df3f47c7b0e47088fcfb374c56029dd3

SHA1
a99bfbfa23730daf6e95c69aa04ca8155eae4f49

SHA256
a8dca3b6bd75c077aca0a46a77f5e99f43567c53a7e999b7ca5db07c79bcacc2

SHA512
a194867b4c9cb54081d222f665da30229ed388dd6d966df51686f4af7cca12acde9364706aadf283b77e6b14d6da5d9029a89f3050c4e129b0dfc499654f9730

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

Filesize
81B

MD5
f972b10c4149b0b5c28506fc571dd215

SHA1
a3bec9d935987ff0753c98c40b980f36596d9ffc

SHA256
968eb86fe51b83a8295d1994d240b38cdddbeab226b0177af20349e7b5ef7019

SHA512
8c6636b8646040f2c252ab9720ff5c3e21091626d226cede48d6e792793d5c4464d8d407287397101146694106863c578a916a5154f0f3bb4fa6ef02fdf7a371

Download Submit
\Users\Admin\AppData\Local\Temp\data\Bugreport-262408.dll

Filesize
168KB

MD5
df3f47c7b0e47088fcfb374c56029dd3

SHA1
a99bfbfa23730daf6e95c69aa04ca8155eae4f49

SHA256
a8dca3b6bd75c077aca0a46a77f5e99f43567c53a7e999b7ca5db07c79bcacc2

SHA512
a194867b4c9cb54081d222f665da30229ed388dd6d966df51686f4af7cca12acde9364706aadf283b77e6b14d6da5d9029a89f3050c4e129b0dfc499654f9730

Download Submit
\Users\Admin\AppData\Local\Temp\data\Bugreport-262408.dll

Filesize
168KB

MD5
df3f47c7b0e47088fcfb374c56029dd3

SHA1
a99bfbfa23730daf6e95c69aa04ca8155eae4f49

SHA256
a8dca3b6bd75c077aca0a46a77f5e99f43567c53a7e999b7ca5db07c79bcacc2

SHA512
a194867b4c9cb54081d222f665da30229ed388dd6d966df51686f4af7cca12acde9364706aadf283b77e6b14d6da5d9029a89f3050c4e129b0dfc499654f9730

Download Submit
\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

Filesize
724KB

MD5
a96fbd5e66b31f3d816ad80f623e9bd9

SHA1
4eda42260bd3eb930cd4eafd7d15c6af367bcf18

SHA256
2e67ba278646fde95bb614dcbcc7da1c6bf7976c918b2c6ad3d78640000326f3

SHA512
43921107313775ea14b1bd33cf758c13798f4fa1c1074771c1c96b1b43b98f3416d249ed8ab3171383772d0054829c3754a91b5e94135f1df6d67a76f599c80e

Download Submit
memory/1164-37-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-47-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-6-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-9-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-11-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-13-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-15-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-17-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-19-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-21-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-23-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-25-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-27-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-29-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-31-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-33-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-35-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-5-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-39-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-41-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-43-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-45-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-49-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-51-0x0000000002990000-0x0000000002A02000-memory.dmp

Filesize
456KB

Download
memory/1164-50-0x0000000002990000-0x0000000002A02000-memory.dmp

Filesize
456KB

Download
memory/1164-52-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1164-55-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-56-0x0000000002990000-0x0000000002A02000-memory.dmp

Filesize
456KB

Download
memory/1164-57-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-59-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-62-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-65-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-80-0x0000000005E20000-0x0000000005E59000-memory.dmp

Filesize
228KB

Download
memory/1164-85-0x0000000005E20000-0x0000000005E59000-memory.dmp

Filesize
228KB

Download
memory/1164-111-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-110-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-0-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-106-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-107-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-108-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1164-109-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1924-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1924-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download