2b2de1b02613f59e753162774da546108df77d83f38178eb51c902d82c64d703

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72c456c776e0e6d7eb490a710a500cb3.exe
Size

1.1MB
MD5

72c456c776e0e6d7eb490a710a500cb3
SHA1

1e19a15a293729e7ff87ad952995adc0a5353c9e
SHA256

2b2de1b02613f59e753162774da546108df77d83f38178eb51c902d82c64d703
SHA512

374390877dda037f9f7d437517ebbd9aa2af1b0afe44b9a644fffab5791677e5d037c427ac73dd3b3fa0de56b395a5934458c4ef2468c532a356e896695339f1
SSDEEP

24576:VB5AoWCGOCCW1WVKOqmzYpnVa/F+fw8SyiQ57RzeY0WCLfUYz+uP:P5AoWCnLW1IKK5D82Q57RJVyUiX

Score

7^/10

bootkit persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000013a1a-0.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2816	72c456c776e0e6d7eb490a710a500cb3.exe
2876	72c456c776e0e6d7eb490a710a500cb3.exe
3000	72c456c776e0e6d7eb490a710a500cb3.exe
3068	72c456c776e0e6d7eb490a710a500cb3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	72c456c776e0e6d7eb490a710a500cb3.exe
File opened for modification	\??\PhysicalDrive0	72c456c776e0e6d7eb490a710a500cb3.exe
File opened for modification	\??\PhysicalDrive0	72c456c776e0e6d7eb490a710a500cb3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 3000	2876	72c456c776e0e6d7eb490a710a500cb3.exe	29
PID 3000 set thread context of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3000	72c456c776e0e6d7eb490a710a500cb3.exe
3000	72c456c776e0e6d7eb490a710a500cb3.exe
3068	72c456c776e0e6d7eb490a710a500cb3.exe
3068	72c456c776e0e6d7eb490a710a500cb3.exe
2876	72c456c776e0e6d7eb490a710a500cb3.exe
2876	72c456c776e0e6d7eb490a710a500cb3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	72c456c776e0e6d7eb490a710a500cb3.exe
Token: SeDebugPrivilege	3068	72c456c776e0e6d7eb490a710a500cb3.exe
Token: SeDebugPrivilege	2876	72c456c776e0e6d7eb490a710a500cb3.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3068	72c456c776e0e6d7eb490a710a500cb3.exe
3068	72c456c776e0e6d7eb490a710a500cb3.exe
3068	72c456c776e0e6d7eb490a710a500cb3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2876	2816	72c456c776e0e6d7eb490a710a500cb3.exe	28
PID 2816 wrote to memory of 2876	2816	72c456c776e0e6d7eb490a710a500cb3.exe	28
PID 2816 wrote to memory of 2876	2816	72c456c776e0e6d7eb490a710a500cb3.exe	28
PID 2816 wrote to memory of 2876	2816	72c456c776e0e6d7eb490a710a500cb3.exe	28
PID 2876 wrote to memory of 3000	2876	72c456c776e0e6d7eb490a710a500cb3.exe	29
PID 2876 wrote to memory of 3000	2876	72c456c776e0e6d7eb490a710a500cb3.exe	29
PID 2876 wrote to memory of 3000	2876	72c456c776e0e6d7eb490a710a500cb3.exe	29
PID 2876 wrote to memory of 3000	2876	72c456c776e0e6d7eb490a710a500cb3.exe	29
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30
PID 3000 wrote to memory of 3068	3000	72c456c776e0e6d7eb490a710a500cb3.exe	30

C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
"C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
  C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe -EPEDEBUGFLAG
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
    C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe -EPEDEBUGFLAG
    3⤵
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
      C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
      4⤵
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\V220090726.EPE

Filesize
477KB

MD5
ca2ac02906ea3dd183678ebff7f3354d

SHA1
e1661ae1280b6a5bb56f954672e298ab93b15868

SHA256
962f7d1d251db7bb422e8add837e7efd78528b005b41c58fab71d130920863d7

SHA512
7ecc03726a1412580d575a1b193d4893c1a7375bae313a9f2f83fab1fec28ee6ec928a1a8a6507200b9c0bcecb58c55fd69037ef0015952521f978cd20ee3a33

Download Submit
memory/2816-1-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2816-2-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/2816-4-0x00000000029D0000-0x0000000002C84000-memory.dmp

Filesize
2.7MB

Download
memory/2816-11-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2816-13-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/2876-5-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/2876-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2876-10-0x00000000034C0000-0x0000000003774000-memory.dmp

Filesize
2.7MB

Download
memory/2876-6-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2876-60-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3000-379-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-18-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-62-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-620-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-466-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-431-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-74-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-339-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-332-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-266-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-79-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-160-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3000-9-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-85-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/3068-76-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/3068-48-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-52-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-50-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-53-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-38-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-34-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-55-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-33-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-57-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-64-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-59-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-65-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-67-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-71-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-40-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-77-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-80-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/3068-89-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/3068-87-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/3068-42-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-149-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-147-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/3068-83-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/3068-81-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/3068-36-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-190-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-15-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-229-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-254-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3068-268-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-46-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-334-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/3068-336-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/3068-28-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-29-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-17-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-377-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-403-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-401-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-338-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-26-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-429-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-449-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-22-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-483-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-485-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-519-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-604-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-606-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-618-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-622-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-24-0x00000000022D0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/3068-630-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-628-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-643-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-652-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-656-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-664-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-648-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-673-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-683-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-682-0x0000000003460000-0x00000000034B1000-memory.dmp

Filesize
324KB

Download
memory/3068-695-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-741-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/3068-758-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download