b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
Size

4.5MB
MD5

97208007ab21ffc52c7cc01445e04fdf
SHA1

907515ad2fc262e4ddc5161703bfdd28163f2e0c
SHA256

b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416
SHA512

d0c4c087ee2164cfd064833fad70cb6dd7e665a8fdda44c67557e5b3f3ea1fac6f17fdc51a2b8e6e532d1823bc45910b1ea2fd7fede9bc12dcd467053867d66f
SSDEEP

98304:p8CWEft+AGpoPdmjfwn706B9w6rMkZFbyNQ1Ue43PZ5fMXy/1Q:OZEF+5lu7PJrWN+4B57/1Q

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Loads dropped DLL 4 IoCs

pid	Process
1724	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
1724	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-0-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral1/files/0x0007000000016c8c-7.dat	upx
behavioral1/memory/1936-11-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/1936-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-49-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-53-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-55-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/1936-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1936-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-66-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/1936-67-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/1936-68-0x00000000761B0000-0x00000000762B0000-memory.dmp	upx
behavioral1/files/0x0007000000016c8c-71.dat	upx
behavioral1/memory/1936-74-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/1936-80-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/1936-83-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1724	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
1936	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1936	1724	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe	28
PID 1724 wrote to memory of 1936	1724	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe	28
PID 1724 wrote to memory of 1936	1724	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe	28
PID 1724 wrote to memory of 1936	1724	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe	28

C:\Users\Admin\AppData\Local\Temp\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
"C:\Users\Admin\AppData\Local\Temp\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\kaidisoft\changweici\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
  "C:\kaidisoft\changweici\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

Filesize
4.3MB

MD5
72528a135161ae9e2baff8d0d716836b

SHA1
630975ccac6bcb2adc9ce252fce236c23f7913ae

SHA256
853b4a9a6d99bab17c570fb7b081ded73cf8d6a7c8d7c1a182fb67395d7312b1

SHA512
0093b094306937052b6e2461c7da6f61c8d40701423c740c056ab856ae8cdf1d503ed825c47b00bd58a4f0746ef6cff35fbfce8d1aa205170c2b5213e0336f3b

Download Submit
\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

Filesize
5.3MB

MD5
7b5b409205ad3c0b0fe0c6ff64b5feda

SHA1
62ba1c6ee8d43315046e7c8613afbf5de6e4b6f4

SHA256
f47ec0193554e8e02afc9921539e50854b64db8225974e2004b8fd1538f31818

SHA512
52fa9ea96ceaf090458bd361365de452c5fed63204de451b60ff34dade065468c9d751616fdab78e28595f1c3b2f3f5215eb2531e8fa0969c996c466f43b6123

Download Submit
\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

Filesize
10.6MB

MD5
50c266e46ccf9bc8956279f78d51f205

SHA1
0ba5b98a91a9a019cd9b87cf01796c65ee6a0839

SHA256
c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00

SHA512
7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37

Download Submit
\kaidisoft\changweici\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Filesize
4.5MB

MD5
97208007ab21ffc52c7cc01445e04fdf

SHA1
907515ad2fc262e4ddc5161703bfdd28163f2e0c

SHA256
b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416

SHA512
d0c4c087ee2164cfd064833fad70cb6dd7e665a8fdda44c67557e5b3f3ea1fac6f17fdc51a2b8e6e532d1823bc45910b1ea2fd7fede9bc12dcd467053867d66f

Download Submit
\kaidisoft\changweici\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Filesize
866KB

MD5
21d897cd022552fddb5c96f6cbac9da0

SHA1
a88b60acec3b752a0d1a4f02984405d2a573c99d

SHA256
2101ddce70649967303b62e7a1e0d8dfa3bf45f4b1a14b2a74dc64687af28797

SHA512
455c1e61654b065895a00b36f779cebb893dc64331acfd782bbbb5ba26b3fb9634ead08167acf7605a7b684d8754668390a184b31dbe793404abbb885bc0e380

Download Submit
memory/1724-0-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/1724-66-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/1724-57-0x0000000003240000-0x000000000389E000-memory.dmp

Filesize
6.4MB

Download
memory/1724-55-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/1936-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-49-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-53-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-67-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/1936-68-0x00000000761B0000-0x00000000762B0000-memory.dmp

Filesize
1024KB

Download
memory/1936-11-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/1936-73-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/1936-74-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/1936-76-0x00000000761B0000-0x00000000762B0000-memory.dmp

Filesize
1024KB

Download
memory/1936-77-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/1936-80-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/1936-83-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads