b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416

General

Target

b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
Size

4.5MB
MD5

97208007ab21ffc52c7cc01445e04fdf
SHA1

907515ad2fc262e4ddc5161703bfdd28163f2e0c
SHA256

b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416
SHA512

d0c4c087ee2164cfd064833fad70cb6dd7e665a8fdda44c67557e5b3f3ea1fac6f17fdc51a2b8e6e532d1823bc45910b1ea2fd7fede9bc12dcd467053867d66f
SSDEEP

98304:p8CWEft+AGpoPdmjfwn706B9w6rMkZFbyNQ1Ue43PZ5fMXy/1Q:OZEF+5lu7PJrWN+4B57/1Q

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Executes dropped EXE 1 IoCs

pid	Process
3100	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Loads dropped DLL 2 IoCs

pid	Process
3360	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
3100	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3360-0-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral2/files/0x0006000000023200-10.dat	upx
behavioral2/files/0x0006000000023200-16.dat	upx
behavioral2/files/0x0006000000023200-15.dat	upx
behavioral2/memory/3100-17-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral2/memory/3100-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3360-48-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral2/memory/3100-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-53-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-58-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral2/memory/3360-50-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral2/memory/3100-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-24-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3100-81-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx
behavioral2/memory/3100-89-0x0000000000400000-0x0000000000A5E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3100	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3100	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3360	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
3100	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
3100	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
3100	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
3100	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
3100	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 3100	3360	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe	85
PID 3360 wrote to memory of 3100	3360	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe	85
PID 3360 wrote to memory of 3100	3360	b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe	85

C:\Users\Admin\AppData\Local\Temp\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
"C:\Users\Admin\AppData\Local\Temp\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360
- C:\kaidisoft\changweici\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe
  "C:\kaidisoft\changweici\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

Filesize
1.2MB

MD5
7c5c1f4534da903c09ea29940c2eea5a

SHA1
48a7c4ea0b344aafd55a8f107665ae7e6494ed5b

SHA256
d42954389fba1686b378bb4041f1b5c60e06c71ba777af043cbf5f8610825867

SHA512
507b0c440fac640b6f157f3b0e2db82de9d1874b7d9578946699788c554651d10760e2401342c4d8493e59ec7f213a658e46e0fe50ef7cf17fbe6cf033e5dbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

Filesize
1.1MB

MD5
050de54019185fe29fb7f1135ccc1677

SHA1
52cb951dc2359bb90f556824f56f3db57b785e4f

SHA256
d4914b9c63f0d22e9179fd879b20f5294fe80e2703902cbde68ac83dcb68bac7

SHA512
900ad515becaa5938ba92fb5d9f7d09c6b9bcb2c7d50965d99e75287ae6eea1efb11960cb00877ae211c22f592386e4029580c0619697292a80428dc3b52a7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll

Filesize
3.4MB

MD5
e8c5470d42062dd7af01f67cc7c396fd

SHA1
a63234c9a2acaab54485841d4fb05d1f589c57d9

SHA256
9039d3eef9f8dc6eda9e29408f5affc559c2ca957cbbaf8974e7653ea92203b6

SHA512
d987b72aecd908326ea428a524d31e7dd89fc50b875bc8305a7eb33fde280799be0a2244a73092acba19f0736f115c7e7bdfb5ee89fb0b6b8a03e81e24c9bb6b

Download Submit
C:\kaidisoft\changweici\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Filesize
3.3MB

MD5
e48b236716fce7d1316ce2eef9f85f11

SHA1
96561202a76bc22cfcc8734833045e76fd9e32b3

SHA256
c735f4255cba58c20e1c0a06b89563e7bd0eae0d87953dbdeeff4162476a7d92

SHA512
95cc61de1ed79581c9e54e71049bd2dd65e7e3c7fbbf0bd893a314693f4ff7616c1f55c900df188cc51316cc056a7c3aa495ba9b07d51e9bbe5eed0f4c2f242c

Download Submit
C:\kaidisoft\changweici\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Filesize
2.3MB

MD5
15cf65daf938970d59c7cf19d93c1d90

SHA1
1ea759bb24e66752176279f523f9a99d6a546e6d

SHA256
471ea0558972f059d0a0fb3a70bcd1cf8b459a90186d57eaa7418ce9e5540acd

SHA512
0c8376d29badd64cd62208aa7174bf2d39be1fd8929bc4dc63f44df4920c762cee2f9c69a38a414c1e5b49e29752387fd69d1a2af6949c644e11285b3336ad33

Download Submit
C:\kaidisoft\changweici\b0f79cc681ff3a9873d3f2865de774982d8dc691e1cd33e79e18b226aeeb9416.exe

Filesize
3.0MB

MD5
d38fb44df68c4b1d0ef27ad3a668f35e

SHA1
fe870176309e48559d9f86686500395b76137803

SHA256
cd685f11465a01705bda655d9776fb452f505a8dbe4fd5ee4af89b650f7171fb

SHA512
ba67d5bdcc31eabd4a7872f9d4aa621ab7bd61e56be182ce95cbfacd8c151d3e227ecc772bef868e51d778fa989c842baf59e3dfad2ef6820be851e936df8ae1

Download Submit
memory/3100-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-89-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3100-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-53-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-83-0x0000000075DC0000-0x0000000075F60000-memory.dmp

Filesize
1.6MB

Download
memory/3100-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-17-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3100-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-58-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3100-81-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3100-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-24-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3100-76-0x0000000075DC0000-0x0000000075F60000-memory.dmp

Filesize
1.6MB

Download
memory/3100-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3360-50-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3360-0-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3360-48-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads