2b2de1b02613f59e753162774da546108df77d83f38178eb51c902d82c64d703

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72c456c776e0e6d7eb490a710a500cb3.exe
Size

1.1MB
MD5

72c456c776e0e6d7eb490a710a500cb3
SHA1

1e19a15a293729e7ff87ad952995adc0a5353c9e
SHA256

2b2de1b02613f59e753162774da546108df77d83f38178eb51c902d82c64d703
SHA512

374390877dda037f9f7d437517ebbd9aa2af1b0afe44b9a644fffab5791677e5d037c427ac73dd3b3fa0de56b395a5934458c4ef2468c532a356e896695339f1
SSDEEP

24576:VB5AoWCGOCCW1WVKOqmzYpnVa/F+fw8SyiQ57RzeY0WCLfUYz+uP:P5AoWCnLW1IKK5D82Q57RJVyUiX

Score

7^/10

bootkit persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000231f7-1.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
5008	72c456c776e0e6d7eb490a710a500cb3.exe
4056	72c456c776e0e6d7eb490a710a500cb3.exe
1660	72c456c776e0e6d7eb490a710a500cb3.exe
1516	72c456c776e0e6d7eb490a710a500cb3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	72c456c776e0e6d7eb490a710a500cb3.exe
File opened for modification	\??\PhysicalDrive0	72c456c776e0e6d7eb490a710a500cb3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1516	72c456c776e0e6d7eb490a710a500cb3.exe
1516	72c456c776e0e6d7eb490a710a500cb3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	72c456c776e0e6d7eb490a710a500cb3.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1516	72c456c776e0e6d7eb490a710a500cb3.exe
1516	72c456c776e0e6d7eb490a710a500cb3.exe
1516	72c456c776e0e6d7eb490a710a500cb3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4056	5008	72c456c776e0e6d7eb490a710a500cb3.exe	90
PID 5008 wrote to memory of 4056	5008	72c456c776e0e6d7eb490a710a500cb3.exe	90
PID 5008 wrote to memory of 4056	5008	72c456c776e0e6d7eb490a710a500cb3.exe	90
PID 4056 wrote to memory of 1660	4056	72c456c776e0e6d7eb490a710a500cb3.exe	87
PID 4056 wrote to memory of 1660	4056	72c456c776e0e6d7eb490a710a500cb3.exe	87
PID 4056 wrote to memory of 1660	4056	72c456c776e0e6d7eb490a710a500cb3.exe	87
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89
PID 1660 wrote to memory of 1516	1660	72c456c776e0e6d7eb490a710a500cb3.exe	89

C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
"C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
  C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe -EPEDEBUGFLAG
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:4056

C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe -EPEDEBUGFLAG
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
  C:\Users\Admin\AppData\Local\Temp\72c456c776e0e6d7eb490a710a500cb3.exe
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V220090726.EPE

Filesize
477KB

MD5
ca2ac02906ea3dd183678ebff7f3354d

SHA1
e1661ae1280b6a5bb56f954672e298ab93b15868

SHA256
962f7d1d251db7bb422e8add837e7efd78528b005b41c58fab71d130920863d7

SHA512
7ecc03726a1412580d575a1b193d4893c1a7375bae313a9f2f83fab1fec28ee6ec928a1a8a6507200b9c0bcecb58c55fd69037ef0015952521f978cd20ee3a33

Download Submit
memory/1516-67-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-32-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-137-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1516-120-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1516-69-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-65-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-14-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1516-93-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/1516-88-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1516-13-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/1516-87-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/1516-25-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-34-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-20-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/1516-35-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1516-40-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-24-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-26-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/1516-29-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-61-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/1516-38-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-44-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1516-42-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-49-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-45-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-57-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-63-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-73-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-79-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-77-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-75-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-71-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-52-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-54-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-99-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/1516-59-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1516-81-0x0000000002A40000-0x0000000002A91000-memory.dmp

Filesize
324KB

Download
memory/1660-82-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-8-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-167-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-163-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-138-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-46-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-22-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-23-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-80-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-16-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-21-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-19-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-121-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-98-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-86-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/1660-9-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1660-15-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/4056-4-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/4056-130-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/4056-84-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/4056-180-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/4056-119-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/4056-5-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/4056-18-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/4056-96-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/4056-6-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4056-164-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/5008-2-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download
memory/5008-10-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/5008-0-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/5008-11-0x0000000071120000-0x0000000071265000-memory.dmp

Filesize
1.3MB

Download