ec084fde2bc14fbfee8cc2a1b6f9c21b7aa5ab69f1172cdee6206aaa7e8f795c

General

Target

1f1062b09aeb776b65fb5c77e11f267e.exe
Size

287KB
MD5

1f1062b09aeb776b65fb5c77e11f267e
SHA1

2c3c0136456bbe96921ce89f09c9a76f3e8d44ab
SHA256

ec084fde2bc14fbfee8cc2a1b6f9c21b7aa5ab69f1172cdee6206aaa7e8f795c
SHA512

7d860b3423e10ce0949bdd41cb1fd0fd873f16b5edf8b49d1ec607e66555e0c3d1a8503611280dc3d4c49d761997e5d9d74d97685e40bbde01d2cfbb45bc267f
SSDEEP

6144:0/2MRXFyS71OZz+2e92RM0gOALzsbRHkUuruxFstiVclw8bIELXR2neoS:uFFyS71OZz+nTOALobRHkUxFskVcq8tp

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RemoteServer\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\RemoteServer.dll"	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023146-4.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1f1062b09aeb776b65fb5c77e11f267e.exe

Deletes itself 1 IoCs

pid	Process
2664	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	rundll32.exe
5012	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023146-4.dat	upx
behavioral2/memory/2664-6-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/2664-13-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/5012-15-0x0000000000400000-0x0000000000495000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\3B275A5A.fn	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2664	1860	1f1062b09aeb776b65fb5c77e11f267e.exe	92
PID 1860 wrote to memory of 2664	1860	1f1062b09aeb776b65fb5c77e11f267e.exe	92
PID 1860 wrote to memory of 2664	1860	1f1062b09aeb776b65fb5c77e11f267e.exe	92

C:\Users\Admin\AppData\Local\Temp\1f1062b09aeb776b65fb5c77e11f267e.exe
"C:\Users\Admin\AppData\Local\Temp\1f1062b09aeb776b65fb5c77e11f267e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\RemoteServer.dll" InstallService
  2⤵
  - Sets DLL path for service in the registry
  - Deletes itself
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  PID:2664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s RemoteServer
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tempfl.txt

Filesize
72B

MD5
c43f4e928de0823dbd31b1ca5466eb84

SHA1
8c7d06549357d3cfda433e85f436737e27177d46

SHA256
c412be6dedad714ca127a0c78caa767c50f6c6f9dc547b3246467e17f0376283

SHA512
e4df97d339672adef38d5d6494a5f8220f92a62beca2af57e78a7c4321c0a3a3df48be78a5b11c73c182bac9c309079d2c30ab0e5050c85cefe89a09238f52a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\RemoteServer.dll

Filesize
195KB

MD5
805031d61469c8e7932d653d52676cad

SHA1
3dcbc4d2f6e51edb49569d37a3cdfeef7bf52b8e

SHA256
905866b53f7f611bd13dbdffbc01cd83a86c7139f9b84bbb68fcbc60c7744d0a

SHA512
6b97032005d4b8796b7e4710ed396fc7f7e5ceb351e9816b18de72a2f194409638acea510c1a629e8dc6b91be28708c411887bf97e239dc21cfb77dde774c13e

Download Submit
C:\Windows\SysWOW64\3B275A5A.fn

Filesize
68B

MD5
c24dcd412d8e53eca72caeb77dd809a5

SHA1
3456cb00877262dd6eb91fd536644b535f9efb62

SHA256
f5b4648e87d532a19d0cf7e8a994f108da28e15cd4eb4cac5f355911586fa5cf

SHA512
f56e76ad92e0d4caeabf800d8d7d91918fb3704b7504700db08533570b3641a03000dd549aa69384d77d06270601557e318d0b4c1bf998622f4cfa0624b957b8

Download Submit
memory/1860-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1860-3-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2664-6-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2664-13-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/5012-15-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads