ec084fde2bc14fbfee8cc2a1b6f9c21b7aa5ab69f1172cdee6206aaa7e8f795c

General

Target

1f1062b09aeb776b65fb5c77e11f267e.exe
Size

287KB
MD5

1f1062b09aeb776b65fb5c77e11f267e
SHA1

2c3c0136456bbe96921ce89f09c9a76f3e8d44ab
SHA256

ec084fde2bc14fbfee8cc2a1b6f9c21b7aa5ab69f1172cdee6206aaa7e8f795c
SHA512

7d860b3423e10ce0949bdd41cb1fd0fd873f16b5edf8b49d1ec607e66555e0c3d1a8503611280dc3d4c49d761997e5d9d74d97685e40bbde01d2cfbb45bc267f
SSDEEP

6144:0/2MRXFyS71OZz+2e92RM0gOALzsbRHkUuruxFstiVclw8bIELXR2neoS:uFFyS71OZz+nTOALobRHkUxFskVcq8tp

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteServer\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\RemoteServer.dll"	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000013a35-3.dat	acprotect
behavioral1/files/0x000c000000013a35-7.dat	acprotect
behavioral1/files/0x000c000000013a35-12.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2368	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
2896	svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000013a35-3.dat	upx
behavioral1/memory/2368-10-0x0000000000270000-0x0000000000305000-memory.dmp	upx
behavioral1/memory/2368-9-0x0000000000270000-0x0000000000305000-memory.dmp	upx
behavioral1/files/0x000c000000013a35-7.dat	upx
behavioral1/memory/2896-13-0x0000000000850000-0x00000000008E5000-memory.dmp	upx
behavioral1/files/0x000c000000013a35-12.dat	upx
behavioral1/memory/2368-18-0x0000000000270000-0x0000000000305000-memory.dmp	upx
behavioral1/memory/2896-19-0x0000000000850000-0x00000000008E5000-memory.dmp	upx
behavioral1/memory/2368-20-0x0000000000270000-0x0000000000305000-memory.dmp	upx
behavioral1/memory/2368-23-0x0000000000270000-0x0000000000305000-memory.dmp	upx
behavioral1/memory/2368-26-0x0000000000270000-0x0000000000305000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\3B275A5A.fn	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2368	1716	1f1062b09aeb776b65fb5c77e11f267e.exe	28
PID 1716 wrote to memory of 2368	1716	1f1062b09aeb776b65fb5c77e11f267e.exe	28
PID 1716 wrote to memory of 2368	1716	1f1062b09aeb776b65fb5c77e11f267e.exe	28
PID 1716 wrote to memory of 2368	1716	1f1062b09aeb776b65fb5c77e11f267e.exe	28
PID 1716 wrote to memory of 2368	1716	1f1062b09aeb776b65fb5c77e11f267e.exe	28
PID 1716 wrote to memory of 2368	1716	1f1062b09aeb776b65fb5c77e11f267e.exe	28
PID 1716 wrote to memory of 2368	1716	1f1062b09aeb776b65fb5c77e11f267e.exe	28

C:\Users\Admin\AppData\Local\Temp\1f1062b09aeb776b65fb5c77e11f267e.exe
"C:\Users\Admin\AppData\Local\Temp\1f1062b09aeb776b65fb5c77e11f267e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\RemoteServer.dll" InstallService
  2⤵
  - Sets DLL path for service in the registry
  - Deletes itself
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  PID:2368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tempfl.txt

Filesize
72B

MD5
c43f4e928de0823dbd31b1ca5466eb84

SHA1
8c7d06549357d3cfda433e85f436737e27177d46

SHA256
c412be6dedad714ca127a0c78caa767c50f6c6f9dc547b3246467e17f0376283

SHA512
e4df97d339672adef38d5d6494a5f8220f92a62beca2af57e78a7c4321c0a3a3df48be78a5b11c73c182bac9c309079d2c30ab0e5050c85cefe89a09238f52a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\RemoteServer.dll

Filesize
195KB

MD5
805031d61469c8e7932d653d52676cad

SHA1
3dcbc4d2f6e51edb49569d37a3cdfeef7bf52b8e

SHA256
905866b53f7f611bd13dbdffbc01cd83a86c7139f9b84bbb68fcbc60c7744d0a

SHA512
6b97032005d4b8796b7e4710ed396fc7f7e5ceb351e9816b18de72a2f194409638acea510c1a629e8dc6b91be28708c411887bf97e239dc21cfb77dde774c13e

Download Submit
C:\Windows\SysWOW64\3B275A5A.fn

Filesize
68B

MD5
c24dcd412d8e53eca72caeb77dd809a5

SHA1
3456cb00877262dd6eb91fd536644b535f9efb62

SHA256
f5b4648e87d532a19d0cf7e8a994f108da28e15cd4eb4cac5f355911586fa5cf

SHA512
f56e76ad92e0d4caeabf800d8d7d91918fb3704b7504700db08533570b3641a03000dd549aa69384d77d06270601557e318d0b4c1bf998622f4cfa0624b957b8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AddIns\RemoteServer.dll

Filesize
16KB

MD5
ec7e485f8188c46c54b8878aeb4c4fdd

SHA1
a1860092e94b92bbd9bd6953837a38ffec1f8210

SHA256
aa522eefa84054abafb9f6373811483ce7bfe457e845d876f2a4365022868eb5

SHA512
c1d7ddc4de8b395d52f1beb2f45a41eb49d2937c55742782d5b860634dfaa53c11bfc3ab5152d401533afc7c5780de5c9df9559a83bca8440fe8c2c934ce8ae2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\AddIns\RemoteServer.dll

Filesize
154KB

MD5
5e5070ebc65c1b10b02000c43a58ff0a

SHA1
88e05899a7c8104bc2cd8efcf618255dc740b3d7

SHA256
6acbd1121da5cebb5f58eeb36931919c122e884de89181113dd1010dc45acdba

SHA512
b5c10050f443b156f9d6872d0acbc0a33d442953a75e4430dac1b56b67788cfeea49754ba230e91cb4572de90600e64c4233e3a1ab2de4c7a75625996f1abf8d

Download Submit
memory/1716-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2368-9-0x0000000000270000-0x0000000000305000-memory.dmp

Filesize
596KB

Download
memory/2368-10-0x0000000000270000-0x0000000000305000-memory.dmp

Filesize
596KB

Download
memory/2368-18-0x0000000000270000-0x0000000000305000-memory.dmp

Filesize
596KB

Download
memory/2368-20-0x0000000000270000-0x0000000000305000-memory.dmp

Filesize
596KB

Download
memory/2368-23-0x0000000000270000-0x0000000000305000-memory.dmp

Filesize
596KB

Download
memory/2368-8-0x0000000000270000-0x0000000000305000-memory.dmp

Filesize
596KB

Download
memory/2368-26-0x0000000000270000-0x0000000000305000-memory.dmp

Filesize
596KB

Download
memory/2896-13-0x0000000000850000-0x00000000008E5000-memory.dmp

Filesize
596KB

Download
memory/2896-19-0x0000000000850000-0x00000000008E5000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads