5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Size

12.3MB
MD5

08d98cd767bcef762eb1ffd918c15313
SHA1

995e5f6a9bf5226dde91c5c2cc11240ece24cdf9
SHA256

5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c
SHA512

fd8b9ab175e9a32eab8d5aab9b10a0e2d9e4c2fd336b1a7a4f7bbb55e24310f24acd7e30572dbcd3889f9bd6c5d913f0f893901a697ff411d808a96e05ab8f7b
SSDEEP

196608:UQ0hI0QWdJXYJIw7LLdlR8qtiCBzj7r4/PXaNGX6hqDuxHN:UQN0rJIJx7LLSBCdj7rEXaNW6hqDuhN

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015c5b-2.dat	acprotect
behavioral1/files/0x0008000000015c5b-8.dat	acprotect
behavioral1/files/0x0008000000015c5b-7.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
1972	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
1972	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015c5b-2.dat	upx
behavioral1/memory/1972-5-0x0000000010000000-0x0000000010917000-memory.dmp	upx
behavioral1/files/0x0008000000015c5b-8.dat	upx
behavioral1/files/0x0008000000015c5b-7.dat	upx
behavioral1/memory/1972-10-0x0000000010000000-0x0000000010917000-memory.dmp	upx
behavioral1/memory/1972-11-0x0000000010000000-0x0000000010917000-memory.dmp	upx
behavioral1/memory/1972-14-0x0000000010000000-0x0000000010917000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\JiaRong\JiaRsoft.jrs	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
File created	C:\Program Files\JiaRong\JiaRjishu.jrs	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B5EA181-A38D-4f42-88B2-6AF74CF6D6C0}\VersionIndependentProgID	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77FD1006-7067-41FF-A712-0F356A6ACE8C}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5EB6E1E6-00B9-4469-AB22-EE4375D70E39}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95EB847D-6550-4FC7-A123-DE050E0328AA}\TypeLib\Version = "6.0"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DABF9AD-2396-4C11-BFD7-A5EE39772954}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44CBB5DE-5AFB-4c3d-8F3F-0F70CA5372AD}\ProgID\ = "gregn.GRPrintViewer.6"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01056F48-F4AB-4D9F-BE45-614F3313717D}\ = "IGRImageList"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83CC68EF-B558-45BB-8023-6C4F3BDADA7B}\ = "IGRColumnTitleCell"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{273631DD-1CAC-49E9-92EE-584F48921A1E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3112650-36D2-4928-9D6C-C0A21CCC1EBA}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B5EA181-A38D-4f42-88B2-6AF74CF6D6C0}\InprocServer32\ = "C:\\Program Files\\JiaRong\\JiaRjishu.jrs"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7FD5DC62-DED0-4138-9C48-55F0A0FE7B66}\InprocServer32\ThreadingModel = "Apartment"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{330F80F5-4568-4F70-BFCB-683D3B90FEBB}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23F65787-D22B-4CA6-BA49-D22B63CA353A}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07120975-B963-4F75-9B4D-0AC979FEBB5D}\TypeLib\Version = "6.0"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07120975-B963-4F75-9B4D-0AC979FEBB5D}\TypeLib	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D40307C2-9342-4C0D-9734-A103418186FE}\TypeLib\Version = "6.0"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F82DF93F-5FF2-40A6-B50B-016666EC08CA}\ = "IGRReportHeader"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17B23325-7316-4098-9FE3-B5A1C24DB296}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5EB6E1E6-00B9-4469-AB22-EE4375D70E39}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4AA885F-AF9C-4032-A65A-F3DFD458C289}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F623A5E8-4AE4-494E-975B-3C5404428625}\ = "IGRE2CSVOption"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07120975-B963-4F75-9B4D-0AC979FEBB5D}\ = "IGRControl"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01056F48-F4AB-4D9F-BE45-614F3313717D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72A79692-2F9E-4FEC-92CC-6B4A7375A3D6}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4AA885F-AF9C-4032-A65A-F3DFD458C289}\TypeLib\Version = "6.0"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4ACA069-B92C-401A-B175-354E00D538D9}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B5EA181-A38D-4f42-88B2-6AF74CF6D6C0}\ProgID	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9E920A1-C722-4A81-9FCF-4D5EBFFA21F4}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F803AE1D-B578-490A-A1FE-38976AD2B625}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB11F828-A97B-4BC3-9B7A-9D2DDEB1C229}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07120975-B963-4F75-9B4D-0AC979FEBB5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C56923D-4012-4D28-8283-1B294C5C2A06}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93CD76F7-5439-437F-8FA5-A650F2CA773C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24DE1EBE-5D9C-40EC-A11A-21AF7D0C0D36}\TypeLib\Version = "6.0"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{01056F48-F4AB-4D9F-BE45-614F3313717D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2564DCE8-FEDB-4EB6-B7F9-5026F7F1041E}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9364159-6AED-4f9c-8BAF-D7C7ED6160A8}\TypeLib	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83CC68EF-B558-45BB-8023-6C4F3BDADA7B}\TypeLib\ = "{4018F953-1BFE-441E-8A04-DC8BA1FF060E}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97502458-7024-4194-9598-5B62001D8C1A}\ = "IGRColumnTitleCells"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F803AE1D-B578-490A-A1FE-38976AD2B625}\ = "IGRGroup"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07120975-B963-4F75-9B4D-0AC979FEBB5D}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93CD76F7-5439-437F-8FA5-A650F2CA773C}\TypeLib\Version = "6.0"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE08C5A0-22B5-4664-9DAA-4BB97C2C0771}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF39550B-2A23-418A-ACEC-812C70EA5A62}\ = "IGRColumnContentCells"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB11F828-A97B-4BC3-9B7A-9D2DDEB1C229}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCDB44D7-4E0B-4EB6-A1E2-092689E8A482}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45F9B62D-9E33-484A-BB3C-BD58007BDAA2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7FC1D3A0-693F-486E-BDF3-02E98F50F9F3}\TypeLib\Version = "6.0"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23AF6C8A-0F15-45E3-A10D-9373BB15AC86}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BB506AB-425B-43B0-BC82-28A61FCCF686}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4AA885F-AF9C-4032-A65A-F3DFD458C289}\TypeLib	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36971202-D715-4AFC-83D4-7C0DDD8872E8}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28845384-ED9F-4D2E-986E-D52AC37A108F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3BB506AB-425B-43B0-BC82-28A61FCCF686}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{273631DD-1CAC-49E9-92EE-584F48921A1E}\TypeLib\Version = "6.0"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{488B2328-67C0-42D1-A133-303FF60D8AE2}\ProxyStubClsid32	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CA58CB2-2AD1-4ad0-B3CC-5F5C000BBDEE}\VersionIndependentProgID\ = "gregn.GRPrintViewerProps"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{330F80F5-4568-4F70-BFCB-683D3B90FEBB}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23F65787-D22B-4CA6-BA49-D22B63CA353A}\TypeLib\Version = "6.0"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C04A6143-7500-41EF-8062-BD89A0A92D40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FA2BE8F-B674-49A9-A081-FE3968AE8D8D}	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17B23325-7316-4098-9FE3-B5A1C24DB296}\TypeLib	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CDAA7F5B-E100-49B7-93F2-6B66FC93BE55}\TypeLib	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1972	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
1972	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
1972	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
1972	5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe

C:\Users\Admin\AppData\Local\Temp\5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe
"C:\Users\Admin\AppData\Local\Temp\5b145d0f5c784b9b41cc9861b892d232d2bc6e083f282b611c950ce19ee5eb9c.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\JiaRong\JiaRjishu.jrs

Filesize
3.7MB

MD5
259c1da17b442ac2f27ea1ff4625e7d3

SHA1
54437d7ce0fc459ed603dc8709254c6971cd34e0

SHA256
6272c686ea0209fe829ddaad0b9af8fbc253d521dbd7e84a1216c217a2f93c9a

SHA512
75281e8dcb997c28a5c864822fe0f984a4bb7ee7c1ca48400250184b7fdaddc4d23bdc601fc7fc42e214b7721931231635380398918631d0adf454a97f8e8796

Download Submit
\Program Files\JiaRong\JiaRjishu.jrs

Filesize
3.7MB

MD5
259c1da17b442ac2f27ea1ff4625e7d3

SHA1
54437d7ce0fc459ed603dc8709254c6971cd34e0

SHA256
6272c686ea0209fe829ddaad0b9af8fbc253d521dbd7e84a1216c217a2f93c9a

SHA512
75281e8dcb997c28a5c864822fe0f984a4bb7ee7c1ca48400250184b7fdaddc4d23bdc601fc7fc42e214b7721931231635380398918631d0adf454a97f8e8796

Download Submit
\Program Files\JiaRong\JiaRjishu.jrs

Filesize
3.7MB

MD5
259c1da17b442ac2f27ea1ff4625e7d3

SHA1
54437d7ce0fc459ed603dc8709254c6971cd34e0

SHA256
6272c686ea0209fe829ddaad0b9af8fbc253d521dbd7e84a1216c217a2f93c9a

SHA512
75281e8dcb997c28a5c864822fe0f984a4bb7ee7c1ca48400250184b7fdaddc4d23bdc601fc7fc42e214b7721931231635380398918631d0adf454a97f8e8796

Download Submit
memory/1972-5-0x0000000010000000-0x0000000010917000-memory.dmp

Filesize
9.1MB

Download
memory/1972-10-0x0000000010000000-0x0000000010917000-memory.dmp

Filesize
9.1MB

Download
memory/1972-11-0x0000000010000000-0x0000000010917000-memory.dmp

Filesize
9.1MB

Download
memory/1972-14-0x0000000010000000-0x0000000010917000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads