25eb9e2f13d2f8cfabd7366ae5c598ffd4cb86e1a3b00f0357cb67364f1b5f02

General

Target

5415e23892d2d009bf0f427337968448.exe
Size

329KB
MD5

5415e23892d2d009bf0f427337968448
SHA1

134a495a64a0e72776789ca4c7daa00dbe8b8eaf
SHA256

25eb9e2f13d2f8cfabd7366ae5c598ffd4cb86e1a3b00f0357cb67364f1b5f02
SHA512

66403d91fdf9cae237b1e9a24b889134eb10112652443abf9ecfde05500b09174c8f78d0223ad3e6f16d8753a23bf716ab9bfa62d4d88f94f8f8e8b18f058ac2
SSDEEP

6144:fePJYhcvhLxotp++sCTHUIKz3JWGYBjWo8XTDNl4KqRqml+RoqKG7e/z:fePJYIh9of++skOYBjDoDNlaRqmuDmz

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/860-0-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral1/memory/860-61-0x0000000000400000-0x00000000004BC000-memory.dmp	upx
behavioral1/memory/860-67-0x0000000000400000-0x00000000004BC000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\z:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\g:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\q:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\t:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\v:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\w:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\n:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\i:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\j:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\l:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\m:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\u:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\x:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\y:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\e:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\k:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\p:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\r:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\s:	5415e23892d2d009bf0f427337968448.exe
File opened (read-only)	\??\h:	5415e23892d2d009bf0f427337968448.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5415e23892d2d009bf0f427337968448.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\SAItest.txt	5415e23892d2d009bf0f427337968448.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	5415e23892d2d009bf0f427337968448.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	5415e23892d2d009bf0f427337968448.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	5415e23892d2d009bf0f427337968448.exe

C:\Users\Admin\AppData\Local\Temp\5415e23892d2d009bf0f427337968448.exe
"C:\Users\Admin\AppData\Local\Temp\5415e23892d2d009bf0f427337968448.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies system certificate store
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab4AB8.tmp

Filesize
7KB

MD5
fe5c4c96a7616471e3b8d48eb9e25b06

SHA1
ec3a36dc343664add1cc4e5c239fe2397fcfc989

SHA256
c57dd23b99e7c3b613e78264f9dddbd876ea27b1a8edaee385ec43c05cc4d974

SHA512
dfadf927599083d22e34205437f332aea5ac7d9aace4c02bef98d3ff650e270c3e2abc4043d56d337df56c08adb4e4b38e00dfdfa90bf44d22d921f3d6889e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4AEA.tmp

Filesize
16KB

MD5
4bdfab600d4a330bf243ddd202d68f8f

SHA1
3cf3288feba422c80337a43387e67453a74b29f3

SHA256
1ed8beefc13fe887b5b4e7cd00dbfa66fb84a46f351c3b575b61ccc158bf4cd0

SHA512
221c29cb50fd9fc9334c2e220f493767b16910fbb802cedf91a87e6c1e0bb1916089a166c90f120881f3f00d397159a38a3b5e4f7e657d0355314fc05c347a5a

Download Submit
memory/860-0-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/860-61-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/860-67-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads