e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5

General

Target

e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe
Size

3.3MB
MD5

96bb66bb94492869f3e7788ff4a3a35d
SHA1

4b34bf128d3848063789ddc4bb2e19b523afb4c6
SHA256

e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5
SHA512

30dd67af9064cb0c331409f03fa6a41b4428800139e6ccfe1b06bf6b95f89b789c16a78428a2cd64a99900e2626c49b4e9c3dacda73e8db382bc6e5bc05fb7e9
SSDEEP

98304:daFG1JbAC8so6/O2PHyVpooHGL4ygj3vAs6l:xj8NSHdoH8W3vAJ

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00040000000121f9-11.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
3048	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00040000000121f9-11.dat	upx
behavioral1/memory/3048-13-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-23-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-25-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-31-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-34-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-36-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-37-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-38-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-39-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-40-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-41-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-42-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-43-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-46-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-47-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral1/memory/3048-48-0x0000000010000000-0x00000000102D5000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?knjx919545505"	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3048	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3048	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe
3048	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

C:\Users\Admin\AppData\Local\Temp\e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe
"C:\Users\Admin\AppData\Local\Temp\e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
4549550e2a5d8ffd3c5eb450baf2fa56

SHA1
513f02a936c4d7a49f80b0bc9d5bbc6da9bf6b52

SHA256
06a0ed2e6d5c52c12bae19f49a34f58862a1b67ae05730eede6bfa18d260faa3

SHA512
1932754facb8cc7a5073113e1e3035379341979856a6578c792bbcbe37e29de6691654586817c69cd4e03fd2e94f8cd8338ff93f93747034681ba3082821ce36

Download Submit
\Users\Admin\AppData\Local\Temp\dm.dll

Filesize
2.2MB

MD5
acaf36d6b9fa9aa3f7ba9be68f866c28

SHA1
82b5a9fd6fa94d1e21036db9bc1843f55e7f55f1

SHA256
44ad8beaa498c520f0bbb793ecc51b2b9566ba85a46c4cf5ebf6014b0b91c16c

SHA512
bb393831048f8f71eac3a6628d9b330d1e8f129dba35f264ae650d1543bdc8e01fb0f3b7eb9bcb4181c918a49ca49e6fd2d82663bb2ec8795c0b04233942d4b9

Download Submit
memory/3048-29-0x0000000003070000-0x000000000307A000-memory.dmp

Filesize
40KB

Download
memory/3048-19-0x0000000077490000-0x0000000077654000-memory.dmp

Filesize
1.8MB

Download
memory/3048-13-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-15-0x00000000761B0000-0x000000007623F000-memory.dmp

Filesize
572KB

Download
memory/3048-0-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3048-16-0x0000000003070000-0x000000000307A000-memory.dmp

Filesize
40KB

Download
memory/3048-18-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3048-30-0x0000000003070000-0x000000000307A000-memory.dmp

Filesize
40KB

Download
memory/3048-20-0x0000000077490000-0x0000000077654000-memory.dmp

Filesize
1.8MB

Download
memory/3048-31-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-22-0x0000000077490000-0x0000000077654000-memory.dmp

Filesize
1.8MB

Download
memory/3048-23-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-24-0x00000000021D0000-0x00000000021DC000-memory.dmp

Filesize
48KB

Download
memory/3048-25-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-26-0x0000000077490000-0x0000000077654000-memory.dmp

Filesize
1.8MB

Download
memory/3048-27-0x00000000761B0000-0x000000007623F000-memory.dmp

Filesize
572KB

Download
memory/3048-17-0x0000000003070000-0x000000000307A000-memory.dmp

Filesize
40KB

Download
memory/3048-9-0x00000000021D0000-0x00000000021DC000-memory.dmp

Filesize
48KB

Download
memory/3048-21-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3048-32-0x0000000077490000-0x0000000077654000-memory.dmp

Filesize
1.8MB

Download
memory/3048-33-0x0000000077490000-0x0000000077654000-memory.dmp

Filesize
1.8MB

Download
memory/3048-34-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-35-0x0000000077490000-0x0000000077654000-memory.dmp

Filesize
1.8MB

Download
memory/3048-36-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-37-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-38-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-39-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-40-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-41-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-42-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-43-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-46-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-47-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/3048-48-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads