101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
Size

1.5MB
MD5

507c5920642e0ecb41d60a8cd835d2a5
SHA1

c27aac57d049be8a67b88caaf2c61c615c22c012
SHA256

101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96
SHA512

f4858b436d58ab41ff87a0d7ab10cfff00ee4823af289ee44db51e230ec9788cedf9afa1f88124d5eea9ccb146a9c322e27a34c6a474900660b71a39c21c2e2c
SSDEEP

49152:fElteIWkfBjbQkX3nzraEXuWUe5iLTIVY7acvAM:cAkfpQkHnzr7XuVe5iHsY7bY

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
716	Bugreport-393712.dll

Loads dropped DLL 1 IoCs

pid	Process
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3404-0-0x0000000000400000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/3404-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-8-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-9-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-12-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-14-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-16-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-18-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-20-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-24-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-22-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-28-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-26-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-31-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-33-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-41-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-39-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-46-0x0000000000400000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/3404-44-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-37-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-48-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-35-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-54-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-57-0x0000000002CA0000-0x0000000002D12000-memory.dmp	upx
behavioral2/memory/3404-56-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-55-0x0000000002CA0000-0x0000000002D12000-memory.dmp	upx
behavioral2/memory/3404-52-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-50-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-60-0x0000000000400000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/3404-61-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/3404-62-0x0000000000400000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/3404-63-0x0000000002CA0000-0x0000000002D12000-memory.dmp	upx
behavioral2/memory/3404-73-0x0000000000400000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/3404-98-0x0000000000400000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/3404-107-0x0000000000400000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/3404-114-0x0000000000400000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/3404-121-0x0000000000400000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/3404-133-0x0000000000400000-0x000000000082B000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
716	Bugreport-393712.dll

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 716	3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe	99
PID 3404 wrote to memory of 716	3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe	99
PID 3404 wrote to memory of 716	3404	101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe	99

C:\Users\Admin\AppData\Local\Temp\101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe
"C:\Users\Admin\AppData\Local\Temp\101c8b2ee5d93de3eb0f2cd388733ef7e42cb5d18039bfde623450c6ef689c96.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393712.dll
  C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393712.dll Bugreport %E9%AA%8C%E8%AF%81%E6%B6%88%20
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-393712.dll

Filesize
168KB

MD5
f5d691ae882163ada8de6d6dda12d399

SHA1
03154691b92361cfc7ab29b11abaa59b6553c90b

SHA256
c2f8336c7126f20d61db9632bca9070389df47a52a5da88886a72e2e6e4f86c8

SHA512
9ce9f85328d5e8d7812e0b95b2ca42c3879743e7542352b922b3ef33f02e8f5fa05a35d2de623ffce559489d04f3740fba428c6369da302360779ae2b85772b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

Filesize
80B

MD5
3bab47b3b38d380a1cce241a5570a625

SHA1
4336d07ccd81dcbc165e63484251a2a16b16c7a2

SHA256
0667398030b92a6ee37d86a2571bb8b2140635d1c5566c7347df1aed1730b7b5

SHA512
3bc5fb051a553b6ae194278369ce457067cf2332fbd59a8951e7af74ee0312b5a867a61eb79e9e252fbe8484355e8b861208649a5a80a5b542d5e4ae3680daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

Filesize
105B

MD5
a63bbb832a45df8198ac7939c03308de

SHA1
087a09337d720ee68d0e85bea4285fcc3f4f0d0e

SHA256
1c43db82030e7e9c4eb69c0ec4e8c32dc63de21ed577218ea50708459d6b274c

SHA512
50afcca345a0dc17b3062befe204d02ac92f0a2dda821b4a0d60dcf13f8c525aa9b47e26f51d69c6999d05ec6dd60e4c954480bec285d3cbe9e503de2ebdf605

Download Submit
C:\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

Filesize
724KB

MD5
a96fbd5e66b31f3d816ad80f623e9bd9

SHA1
4eda42260bd3eb930cd4eafd7d15c6af367bcf18

SHA256
2e67ba278646fde95bb614dcbcc7da1c6bf7976c918b2c6ad3d78640000326f3

SHA512
43921107313775ea14b1bd33cf758c13798f4fa1c1074771c1c96b1b43b98f3416d249ed8ab3171383772d0054829c3754a91b5e94135f1df6d67a76f599c80e

Download Submit
memory/716-92-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/716-75-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3404-35-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-56-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-18-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-20-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-24-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-22-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-28-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-26-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-31-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-33-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-41-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-39-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-46-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/3404-44-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-37-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-48-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-0-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/3404-54-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-57-0x0000000002CA0000-0x0000000002D12000-memory.dmp

Filesize
456KB

Download
memory/3404-16-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-55-0x0000000002CA0000-0x0000000002D12000-memory.dmp

Filesize
456KB

Download
memory/3404-52-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-50-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-60-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/3404-61-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-62-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/3404-63-0x0000000002CA0000-0x0000000002D12000-memory.dmp

Filesize
456KB

Download
memory/3404-64-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/3404-65-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3404-14-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-73-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/3404-12-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-9-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3404-98-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/3404-107-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/3404-114-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/3404-121-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download
memory/3404-133-0x0000000000400000-0x000000000082B000-memory.dmp

Filesize
4.2MB

Download