5c3be1eab91a7381b4d5cf46ce50b2509bd2c9016fc30285700cb3e7566677da

Analysis

max time kernel
61s
max time network
64s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 15:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

285066dc1a042f13353bfb6f70aafe54.exe
Size

471KB
MD5

285066dc1a042f13353bfb6f70aafe54
SHA1

d51c00b573a8c1e4a6f688a41bc7d9c9ee606f18
SHA256

5c3be1eab91a7381b4d5cf46ce50b2509bd2c9016fc30285700cb3e7566677da
SHA512

31cea536b8f1c4b205dae4964d5fdb8f3b8d67f92c63d26a27b195c857c8f2abba33f111776edfe8e29b0e070d6507cd407d83642fa3666b3da72ca09af67844
SSDEEP

12288:vGHvS/cXhiEXTddLHSaEN02vggHujdBQzd8lnB:v2vS/wiEX/SFCgHwdmh8j

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	1372	rundll32.exe

Executes dropped EXE 6 IoCs

pid	Process
2704	taskmgr.exe
2724	1EuroP.exe
2584	2E4U - Bucks.exe
3024	3IC.exe
2572	4IR.exe
1964	5tbp.exe

Loads dropped DLL 37 IoCs

pid	Process
2348	285066dc1a042f13353bfb6f70aafe54.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2704	taskmgr.exe
2704	taskmgr.exe
2704	taskmgr.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2724	1EuroP.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2724	1EuroP.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2584	2E4U - Bucks.exe
2584	2E4U - Bucks.exe
2584	2E4U - Bucks.exe
3024	3IC.exe
3024	3IC.exe
3024	3IC.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2572	4IR.exe
2572	4IR.exe
2572	4IR.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2348	285066dc1a042f13353bfb6f70aafe54.exe
2584	2E4U - Bucks.exe
1964	5tbp.exe
1964	5tbp.exe
1964	5tbp.exe
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000186ab-55.dat	upx
behavioral1/memory/2572-65-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2572-102-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lvorekudegemid = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\censMO.dll\",Startup"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	3IC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1504	rundll32.exe
1504	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2724	1EuroP.exe
3024	3IC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3024	3IC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1964	5tbp.exe
2572	4IR.exe
1504	rundll32.exe
2572	4IR.exe
2572	4IR.exe
1372	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2704	2348	285066dc1a042f13353bfb6f70aafe54.exe	28
PID 2348 wrote to memory of 2704	2348	285066dc1a042f13353bfb6f70aafe54.exe	28
PID 2348 wrote to memory of 2704	2348	285066dc1a042f13353bfb6f70aafe54.exe	28
PID 2348 wrote to memory of 2704	2348	285066dc1a042f13353bfb6f70aafe54.exe	28
PID 2348 wrote to memory of 2704	2348	285066dc1a042f13353bfb6f70aafe54.exe	28
PID 2348 wrote to memory of 2704	2348	285066dc1a042f13353bfb6f70aafe54.exe	28
PID 2348 wrote to memory of 2704	2348	285066dc1a042f13353bfb6f70aafe54.exe	28
PID 2348 wrote to memory of 2724	2348	285066dc1a042f13353bfb6f70aafe54.exe	29
PID 2348 wrote to memory of 2724	2348	285066dc1a042f13353bfb6f70aafe54.exe	29
PID 2348 wrote to memory of 2724	2348	285066dc1a042f13353bfb6f70aafe54.exe	29
PID 2348 wrote to memory of 2724	2348	285066dc1a042f13353bfb6f70aafe54.exe	29
PID 2348 wrote to memory of 2724	2348	285066dc1a042f13353bfb6f70aafe54.exe	29
PID 2348 wrote to memory of 2724	2348	285066dc1a042f13353bfb6f70aafe54.exe	29
PID 2348 wrote to memory of 2724	2348	285066dc1a042f13353bfb6f70aafe54.exe	29
PID 2348 wrote to memory of 2584	2348	285066dc1a042f13353bfb6f70aafe54.exe	30
PID 2348 wrote to memory of 2584	2348	285066dc1a042f13353bfb6f70aafe54.exe	30
PID 2348 wrote to memory of 2584	2348	285066dc1a042f13353bfb6f70aafe54.exe	30
PID 2348 wrote to memory of 2584	2348	285066dc1a042f13353bfb6f70aafe54.exe	30
PID 2348 wrote to memory of 2584	2348	285066dc1a042f13353bfb6f70aafe54.exe	30
PID 2348 wrote to memory of 2584	2348	285066dc1a042f13353bfb6f70aafe54.exe	30
PID 2348 wrote to memory of 2584	2348	285066dc1a042f13353bfb6f70aafe54.exe	30
PID 2348 wrote to memory of 3024	2348	285066dc1a042f13353bfb6f70aafe54.exe	31
PID 2348 wrote to memory of 3024	2348	285066dc1a042f13353bfb6f70aafe54.exe	31
PID 2348 wrote to memory of 3024	2348	285066dc1a042f13353bfb6f70aafe54.exe	31
PID 2348 wrote to memory of 3024	2348	285066dc1a042f13353bfb6f70aafe54.exe	31
PID 2348 wrote to memory of 3024	2348	285066dc1a042f13353bfb6f70aafe54.exe	31
PID 2348 wrote to memory of 3024	2348	285066dc1a042f13353bfb6f70aafe54.exe	31
PID 2348 wrote to memory of 3024	2348	285066dc1a042f13353bfb6f70aafe54.exe	31
PID 2348 wrote to memory of 2572	2348	285066dc1a042f13353bfb6f70aafe54.exe	32
PID 2348 wrote to memory of 2572	2348	285066dc1a042f13353bfb6f70aafe54.exe	32
PID 2348 wrote to memory of 2572	2348	285066dc1a042f13353bfb6f70aafe54.exe	32
PID 2348 wrote to memory of 2572	2348	285066dc1a042f13353bfb6f70aafe54.exe	32
PID 2348 wrote to memory of 2572	2348	285066dc1a042f13353bfb6f70aafe54.exe	32
PID 2348 wrote to memory of 2572	2348	285066dc1a042f13353bfb6f70aafe54.exe	32
PID 2348 wrote to memory of 2572	2348	285066dc1a042f13353bfb6f70aafe54.exe	32
PID 2348 wrote to memory of 1964	2348	285066dc1a042f13353bfb6f70aafe54.exe	33
PID 2348 wrote to memory of 1964	2348	285066dc1a042f13353bfb6f70aafe54.exe	33
PID 2348 wrote to memory of 1964	2348	285066dc1a042f13353bfb6f70aafe54.exe	33
PID 2348 wrote to memory of 1964	2348	285066dc1a042f13353bfb6f70aafe54.exe	33
PID 2348 wrote to memory of 1964	2348	285066dc1a042f13353bfb6f70aafe54.exe	33
PID 2348 wrote to memory of 1964	2348	285066dc1a042f13353bfb6f70aafe54.exe	33
PID 2348 wrote to memory of 1964	2348	285066dc1a042f13353bfb6f70aafe54.exe	33
PID 2584 wrote to memory of 992	2584	2E4U - Bucks.exe	34
PID 2584 wrote to memory of 992	2584	2E4U - Bucks.exe	34
PID 2584 wrote to memory of 992	2584	2E4U - Bucks.exe	34
PID 2584 wrote to memory of 992	2584	2E4U - Bucks.exe	34
PID 2584 wrote to memory of 992	2584	2E4U - Bucks.exe	34
PID 2584 wrote to memory of 992	2584	2E4U - Bucks.exe	34
PID 2584 wrote to memory of 992	2584	2E4U - Bucks.exe	34
PID 1964 wrote to memory of 1504	1964	5tbp.exe	35
PID 1964 wrote to memory of 1504	1964	5tbp.exe	35
PID 1964 wrote to memory of 1504	1964	5tbp.exe	35
PID 1964 wrote to memory of 1504	1964	5tbp.exe	35
PID 1964 wrote to memory of 1504	1964	5tbp.exe	35
PID 1964 wrote to memory of 1504	1964	5tbp.exe	35
PID 1964 wrote to memory of 1504	1964	5tbp.exe	35
PID 2724 wrote to memory of 2644	2724	1EuroP.exe	37
PID 2724 wrote to memory of 2644	2724	1EuroP.exe	37
PID 2724 wrote to memory of 2644	2724	1EuroP.exe	37
PID 2724 wrote to memory of 2644	2724	1EuroP.exe	37
PID 2724 wrote to memory of 2644	2724	1EuroP.exe	37
PID 2724 wrote to memory of 2644	2724	1EuroP.exe	37
PID 2724 wrote to memory of 2644	2724	1EuroP.exe	37
PID 1504 wrote to memory of 1372	1504	rundll32.exe	39

C:\Users\Admin\AppData\Local\Temp\285066dc1a042f13353bfb6f70aafe54.exe
"C:\Users\Admin\AppData\Local\Temp\285066dc1a042f13353bfb6f70aafe54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\taskmgr.exe
  "C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\taskmgr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\1EuroP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Sdp..bat" > nul 2> nul
    3⤵
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\2E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\2E4U - Bucks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\2E4U - Bucks.exe
    "C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\2E4U - Bucks.exe"
    3⤵
    PID:992
- C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\3IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\3IC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\4IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\4IR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\5tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\5tbp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\censMO.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\censMO.dll",iep
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1372

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {7007ACC7-3202-11D1-AAD2-00805FC1270E} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sdp..bat

Filesize
182B

MD5
b0f4ac296dd58644b213693b6342b419

SHA1
c65a8b2dead46ccbedcdef0917075ca7ae4cd016

SHA256
e33f5f4d8d641f37c74c05c9a2b55b7f92a7633a6f96ba838b4f0e04c06aecc1

SHA512
513a0f3d734cdfafbb5c51b3faee68e65429c03fe0fe5e127c6e63088494f1a25b900dc49fdf6cdb3c1bd4f2d77520c2587ee5366b185b70bc2f814c495314d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\3IC.exe

Filesize
195KB

MD5
aee38ff610fbbdfd9e38e3bcc25271f0

SHA1
4f869c1775ec2c94b58b76e09988c14888157d17

SHA256
c3dcedfa7753c973e8a7accc2c6a0190729b733e447471756609e5c82896addf

SHA512
4476462473ecc6cd38ab3364a7ede24ab224bc26c0411c8624b4d718e317a7b4b95962cbe8c3f5e4b67aeba799b2ad5d2ab7ac2ff92fa5d50a9309387252b72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\4IR.exe

Filesize
54KB

MD5
9fcdb278f6e1b1593524ca88888cee7d

SHA1
0b09733d3b4cfbc0c0663905ea89b7059d45b472

SHA256
95e14259771d08bf4042fa7e1ce7d7b343dce0b0c9fe365d2435a5d1b6a2addb

SHA512
117987aaa3252c08a46fb4d08ecf26bba4d542dc728ac26ef625e6b2384cdeb7eef016e1b6c338d6ce54a480cca4a3a2b5b1f5923447e9abb5d072a66a8ffacd

Download Submit
\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\1EuroP.exe

Filesize
110KB

MD5
678286b7059acf149521497ac173a4de

SHA1
53e0b6de66cfe822d661bbaf26b47b37ae4a077c

SHA256
339298602e15c27e59dea74be0ba206445841b8f980c4cb444fd84af16728fb3

SHA512
82059fd30dafd19ed0e243dc13928474e3a563187196e579c1b7be1b4267029683360faaac7fcbf40d126dad72445441f0815586a24ac14c91ae7d99ff6f9743

Download Submit
\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\2E4U - Bucks.exe

Filesize
100KB

MD5
c17bb3e80113dde13772887ef63deb9b

SHA1
90c3c07a6cdbcc6c5c297d07945f4e725ddf6513

SHA256
c31149caf3f03d834f7f42a655e678a523763feabb6ee7923a0c34163811294a

SHA512
d75735a7f9edfb13db6e76b9aaaef7b2d45bf3d5d4bbc2fd622428c8a4ac381069e8680457ce3625e1a4564fbff47075159055a8f8347c8ebd4dec1185af2616

Download Submit
\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\5tbp.exe

Filesize
124KB

MD5
974a3fffc0fcb5d48ebb2bd9be3f85e7

SHA1
1ab0121ed62ff5177d588ba16741531cfe69b384

SHA256
0b32695db6a10b7adadf1c31ab63f192c2b2a26365c7f4ce9c97b4422e318589

SHA512
86c679699691f5fb64a82b56691a4cb9981314fa7d1e772e0dc138301b031f916a44986d8507c06fbb48b3e7e26cd013deea10d40b1ac6b1c574da8af5a3e6a4

Download Submit
\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\taskmgr.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
\Users\Admin\AppData\Local\censMO.dll

Filesize
124KB

MD5
3dd4c1bbda5d6a0cde8198aa4f36c645

SHA1
86b85c618c9fa7eed63e76b059efa41a70fb8c76

SHA256
e4c91f2dfc0cb2bc383c8da6eb05b51f05c5948b6f65098d40b15ca68664249b

SHA512
a59818a002c8c819e05876f44cf94239f57d319d9fe3795b7fa6efce516e4be2738cce37c8adea85708e2c1be12b7eba4d87647e3eb5ede3cb2b43e73191dcad

Download Submit
memory/992-81-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1372-126-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1372-116-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/1372-115-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1504-92-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/1504-106-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1504-114-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1504-93-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1964-83-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/1964-82-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1964-103-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2348-58-0x0000000002B00000-0x0000000002B2F000-memory.dmp

Filesize
188KB

Download
memory/2572-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-64-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/2572-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-104-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2724-100-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2724-95-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3024-98-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3024-97-0x0000000000310000-0x0000000000359000-memory.dmp

Filesize
292KB

Download
memory/3024-96-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download