e7a2bffe2b81122b82e890813aca316dac45d17227030c87ddf9982cada9b8a8

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25a0db11ef49add304979deb0f256328.exe
Size

766KB
MD5

25a0db11ef49add304979deb0f256328
SHA1

de34ebd0fbaf79020bcede5c3344a562e29be1ff
SHA256

e7a2bffe2b81122b82e890813aca316dac45d17227030c87ddf9982cada9b8a8
SHA512

ed0b00de02b490c3d454b846ef47290f1fcf3b00e4ddbfe26d6b98373254f24c2374e96d32cb5e3ccb9592bcf5ae2fc3be8ce1c57245af58326645696a31f6ae
SSDEEP

12288:rzNb0JkELMDrotVa4oCvt8kOEaG1qVqaFwFHfDz2kTy/I/jWWZmrS6JeIjQ:rJ4JfLestVHoS8kO1GSqaFI/DzHWQ/j9

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000016c1a-4.dat	acprotect
behavioral1/files/0x000c000000016c1a-26.dat	acprotect
behavioral1/files/0x000c000000016c1a-25.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2076	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2156	Boercservice.exe

Loads dropped DLL 6 IoCs

pid	Process
2236	25a0db11ef49add304979deb0f256328.exe
2236	25a0db11ef49add304979deb0f256328.exe
2236	25a0db11ef49add304979deb0f256328.exe
2236	25a0db11ef49add304979deb0f256328.exe
2156	Boercservice.exe
2156	Boercservice.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-6-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/files/0x000c000000016c1a-4.dat	upx
behavioral1/memory/2156-33-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/files/0x000c000000016c1a-26.dat	upx
behavioral1/files/0x000c000000016c1a-25.dat	upx
behavioral1/memory/2236-42-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/memory/2156-45-0x0000000010000000-0x000000001012A000-memory.dmp	upx
behavioral1/memory/2156-49-0x0000000010000000-0x000000001012A000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Boercservice.dll	Boercservice.exe
File created	C:\Windows\SysWOW64\Boercservice.exe	25a0db11ef49add304979deb0f256328.exe
File opened for modification	C:\Windows\SysWOW64\Boercservice.exe	25a0db11ef49add304979deb0f256328.exe
File created	C:\Windows\SysWOW64\Boercservice.dll	Boercservice.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\4f73067947b8fd21e3f43f22006d2297.dat	Boercservice.exe
File opened for modification	C:\Windows\Fonts\4f73067947b8fd21e3f43f22006d2297.dat	Boercservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	25a0db11ef49add304979deb0f256328.exe
2156	Boercservice.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2156	Boercservice.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2236	25a0db11ef49add304979deb0f256328.exe
2156	Boercservice.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2156	2236	25a0db11ef49add304979deb0f256328.exe	28
PID 2236 wrote to memory of 2156	2236	25a0db11ef49add304979deb0f256328.exe	28
PID 2236 wrote to memory of 2156	2236	25a0db11ef49add304979deb0f256328.exe	28
PID 2236 wrote to memory of 2156	2236	25a0db11ef49add304979deb0f256328.exe	28
PID 2236 wrote to memory of 2076	2236	25a0db11ef49add304979deb0f256328.exe	30
PID 2236 wrote to memory of 2076	2236	25a0db11ef49add304979deb0f256328.exe	30
PID 2236 wrote to memory of 2076	2236	25a0db11ef49add304979deb0f256328.exe	30
PID 2236 wrote to memory of 2076	2236	25a0db11ef49add304979deb0f256328.exe	30
PID 2156 wrote to memory of 1376	2156	Boercservice.exe	19

C:\Users\Admin\AppData\Local\Temp\25a0db11ef49add304979deb0f256328.exe
"C:\Users\Admin\AppData\Local\Temp\25a0db11ef49add304979deb0f256328.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\Boercservice.exe
  C:\Windows\system32\Boercservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\del_file_1.bat
  2⤵
  - Deletes itself
  PID:2076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
66KB

MD5
66e48618319014f3074d841831abdb4c

SHA1
8ab128067595f4847795b16ad9420e633044bc27

SHA256
11406fe073ce0ba7c509f1b3de53d5624968fbed04f4d30a434b86bda97d0663

SHA512
0d17dbf0acc477c88ffee5185c035170c00a8c2e5876be0d3a3bdb33421b854d0a1f7de0168250398f917a2670a0ee4630e87bf6890e4206b4c9bb7abcae85bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
69KB

MD5
05723ee0a6899db93f6ae02286948cd6

SHA1
584b3ea03f7ba2420a5c18d53204edead6e5da81

SHA256
d5e92077c1e353911c5052571d1ba60f07c405be5e151bcc44a3adce9ee533e4

SHA512
26bf7463ff6dedf9b462acd617eee3a6fc91d86dfc03de63e4e58473683465f63271911d4f9362d1ebbeeeab31474c952071bb3b635f575eef270c777fa630d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
38KB

MD5
e8437647a3dd8ef00f261a26aea37f82

SHA1
7a06bbce49fefc92d38f9745c03f6fb6527cb9f2

SHA256
69fb11ad9dc3458b524281639880207a7ac8801ed57a5bb82f960e96c74f43ae

SHA512
c00995dd72576e340bd228a95caa8c7bebc9820513cb8657415a9e14d5496da31189c772cf33bd66494b30d4d1900f929e35dac7448b44931f34117a4624cb2d

Download Submit
C:\Windows\SysWOW64\Boercservice.exe

Filesize
49KB

MD5
70be25768745994d931e6917d5e4d65b

SHA1
835cae63582ac8d83b698c191257735652a9dbd7

SHA256
8c8cf1a61640472a8e9f9eb6c8ec5a792e869282238ee0c277e41d53b1ff59ef

SHA512
f8589356a979174213e97d71dbb3867b06ee83c4a4ff1e5aafb1047133ba9c610d0162b77f238e17823126d5da2ff51bc4f4f267d95d5e54768a027f3dcea3eb

Download Submit
C:\Windows\SysWOW64\Boercservice.exe

Filesize
81KB

MD5
718f45261fd07ad6c6317147ac921713

SHA1
fce1bd6ac3b75ba5089f6d565347a6a57d262942

SHA256
991c83cf8c156fb81fd0ebf230ed5eba0fca686b07f2834a5dc1622e32d49f6c

SHA512
f6f40aa8457d4c1074aec107bb669b53518082f0d51c8442a611f4f1dfe53290eacf3cd5f2541eb91dacea4d223f41ca3404dfc63ae336d9d0f644e2a61af5c5

Download Submit
C:\Windows\SysWOW64\Boercservice.exe

Filesize
52KB

MD5
5036cabdd700f2fccba2ac1b40dff861

SHA1
bfcd36e5b13406e8ff63a0e409d339001fbafdc9

SHA256
e07d7081926aa0d6ef5316ee9fa1b227208275896bfdb227e7fe286e8a028e93

SHA512
c818c9b50d58a8ce2006416f12faabca1f046c7ad5c6b0101f52065ff7e86874dd5e9c2e45d93a7ca832e71f1b69b22517ee498b4255dde55f03562ea52d7d98

Download Submit
C:\del_file_1.bat

Filesize
207B

MD5
7416f578efbf60ed6d5e1b7fd6626bfd

SHA1
287ea92a1cc48461d3b4dcf30dbecd16411f03ed

SHA256
273a73d9f0c42a5bdf66b987e002e6753869f44e3a34825b7c60aa47b27b5214

SHA512
e768bc444e86b5ca6e417af551df265fbec8e8eb62aee527fc2563c4276b32324c8bf94bbe28b3d51196e1abe5b4ee12c6b3464c83189d9695e2e10a06e633e4

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
92KB

MD5
c0a6b89128edd8308bd888e31f474bcb

SHA1
6b5938505679e029f848abc144c510eec6b11cf1

SHA256
4d68e181045b5cdfb3f586355f86d6fd6fd56f2232fb9affb57b87d73f2e0d9f

SHA512
2e7d517c47aaa12251fe8bca4fd21340bff49c2914eb0be4a5306441f11c2ed26a21ed15f307941d4b75e4afc110d3d836e97088cd1942a835f24dc7da6dab92

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
75KB

MD5
6784032abd934d5ce20bb53de04194db

SHA1
4d6d80a8047eac909c0a8bfa8d97bf12367ba96a

SHA256
0f09735818e0a1236e5afbaea248037dafc7443e6946990a756780e0a8eff9a3

SHA512
6dd730139fb2ba686df94186264d236ee9acbb1bc8f74a2ad6ceb263beb2627bdca28d23dabcbb930c2020d65c6797f528ed6856e26ba3c8f231cb42790566a2

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
72KB

MD5
a26069f9c2798b8da818defa88352e5a

SHA1
771aa3ed503c0cef37056b6502c34a4d96bcf88e

SHA256
95932194599568abb66fb5410e5db2e933079b8edc72cbc12633960f654bfdf6

SHA512
d7099aa9bbab7f30bdc17e3cafbf41de31e1dbddd850a428673aff89a505cd13e722d43143b550b1a3851c9edeceab7817fa759ab68a307139917a5b0eb35f8e

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
26KB

MD5
00e302e9ea66f3860541cf3bc039d1a9

SHA1
56c526aeaed3a66c2b1e9adec7fde9f43bac222e

SHA256
578be66e44b42096e4dc4b5555a9cfd1757c3d12b6eac801d3178290b1f79878

SHA512
b1db906d77ebbca52615798e4bb5ee2d1a76510016a57aa8b484789b285f0bc9db232c34f0c0596046305e59c001bc0efe727bae446e5b662c2092ecc7ec763f

Download Submit
\Windows\SysWOW64\Boercservice.exe

Filesize
114KB

MD5
9e1108e57a92b5bc9353b1a31284346e

SHA1
886422152c58263407fb5759e120b4d56c4f6c73

SHA256
4e334ef4e5391ede50e0fc7004cf64c5334bdcdd3dfecf35456660af2af0e1c3

SHA512
1398ad5a88deeeb12c5f0c4113ff79c6ba308de2a1927ad2f59b6df23c450e364282d3d7d04b511dfef10a430ee5855f3a4f4e06b9a0470fb037ca36e6a9b559

Download Submit
\Windows\SysWOW64\Boercservice.exe

Filesize
31KB

MD5
d5b67c0eee832c6bf3cbda681902e277

SHA1
c461b195ff9c73762a44c735b30db06bbe85595e

SHA256
e02ee762e87f33d2a7b03a72751bd6a026eef55dd795d3913e37166d7aa66ac8

SHA512
60440511c4dc9dc079cd1a04c045caa8486b7bbca1194da9921893be8552c011c21ad5e33e94d7c1503a5a68d70581268cb6c8f530c42b77be384c5ef065cd07

Download Submit
memory/1376-48-0x00000000087C0000-0x000000000C0F9000-memory.dmp

Filesize
57.2MB

Download
memory/2156-45-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/2156-50-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2156-49-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/2156-27-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2156-33-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/2156-32-0x00000000008A0000-0x00000000008C1000-memory.dmp

Filesize
132KB

Download
memory/2236-8-0x0000000000220000-0x0000000000241000-memory.dmp

Filesize
132KB

Download
memory/2236-43-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2236-42-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/2236-6-0x0000000010000000-0x000000001012A000-memory.dmp

Filesize
1.2MB

Download
memory/2236-22-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2236-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download