56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf

General

Target

56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf.exe
Size

5.9MB
MD5

10fffa0484caf5b12411ad188a12df5b
SHA1

470a7724048585dac6da90c678fe7e609150b8d0
SHA256

56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf
SHA512

9d6699c2e7b1066c0bad8813fc6d6097bb56169f3df113b28293a4303ed7e413637cd9e39b1a8427047e8a73a3bdd84cf3f0d9dd9909fa8c92e03949f372bb56
SSDEEP

98304:CmScH31urVCWtzSKkRNc0xqcB27OgUWZHwJ2uJBAUZLcRkf:+rVCWtdkRNvxP2sWAJV4kf

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
4796	56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4796-2-0x0000000002B60000-0x0000000002B6B000-memory.dmp	upx
behavioral2/memory/4796-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-8-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-12-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-24-0x0000000002B60000-0x0000000002B6B000-memory.dmp	upx
behavioral2/memory/4796-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-44-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4796-53-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4796	56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf.exe
4796	56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf.exe
4796	56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf.exe

C:\Users\Admin\AppData\Local\Temp\56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf.exe
"C:\Users\Admin\AppData\Local\Temp\56ad070fa14e9174210b7ff37afb8d572d1de3b6c71a93f28b9311da1b0ba0bf.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

Filesize
1.5MB

MD5
ef48d7cc52338513cc0ce843c5e3916b

SHA1
20965d86b7b358edf8b5d819302fa7e0e6159c18

SHA256
835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8

SHA512
fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

Download Submit
memory/4796-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-0-0x0000000000400000-0x0000000000A46000-memory.dmp

Filesize
6.3MB

Download
memory/4796-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-8-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-12-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-24-0x0000000002B60000-0x0000000002B6B000-memory.dmp

Filesize
44KB

Download
memory/4796-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-44-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-49-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/4796-52-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/4796-54-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/4796-53-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4796-55-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/4796-2-0x0000000002B60000-0x0000000002B6B000-memory.dmp

Filesize
44KB

Download
memory/4796-76-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/4796-78-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/4796-92-0x0000000000400000-0x0000000000A46000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads