e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5

General

Target

e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe
Size

3.3MB
MD5

96bb66bb94492869f3e7788ff4a3a35d
SHA1

4b34bf128d3848063789ddc4bb2e19b523afb4c6
SHA256

e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5
SHA512

30dd67af9064cb0c331409f03fa6a41b4428800139e6ccfe1b06bf6b95f89b789c16a78428a2cd64a99900e2626c49b4e9c3dacda73e8db382bc6e5bc05fb7e9
SSDEEP

98304:daFG1JbAC8so6/O2PHyVpooHGL4ygj3vAs6l:xj8NSHdoH8W3vAJ

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0003000000022e38-9.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
4540	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022e38-9.dat	upx
behavioral2/memory/4540-12-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-15-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-22-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-23-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-26-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-27-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-28-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-29-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-30-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-31-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-32-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-33-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-34-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-35-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-38-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-39-0x0000000010000000-0x00000000102D5000-memory.dmp	upx
behavioral2/memory/4540-40-0x0000000010000000-0x00000000102D5000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k420182162"	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4540	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4540	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe
4540	e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe

C:\Users\Admin\AppData\Local\Temp\e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe
"C:\Users\Admin\AppData\Local\Temp\e427e764efd931d2750c74f423292018ffb228724d56d3318155fc9d62bdd9f5.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dm.dll

Filesize
2.2MB

MD5
acaf36d6b9fa9aa3f7ba9be68f866c28

SHA1
82b5a9fd6fa94d1e21036db9bc1843f55e7f55f1

SHA256
44ad8beaa498c520f0bbb793ecc51b2b9566ba85a46c4cf5ebf6014b0b91c16c

SHA512
bb393831048f8f71eac3a6628d9b330d1e8f129dba35f264ae650d1543bdc8e01fb0f3b7eb9bcb4181c918a49ca49e6fd2d82663bb2ec8795c0b04233942d4b9

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
a5fcd39c6abb106243ed77a7ef31f406

SHA1
f52010493b4be7b2a5ed1a8d108d7d06800b0fae

SHA256
b74be6199aaff0f8e146d2837fd499675e37832c5837eec094a4a6a826c9c02b

SHA512
bae1f9c3f901351736404065fe8282cec3f1728cf5d116fc53a3634e879d508297a5c46259b1619b576011eef3eb8560505de6f2d9fb281fbd643a02aff6c07c

Download Submit
memory/4540-25-0x0000000073240000-0x0000000073690000-memory.dmp

Filesize
4.3MB

Download
memory/4540-35-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-14-0x00000000757D0000-0x0000000075866000-memory.dmp

Filesize
600KB

Download
memory/4540-15-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-16-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/4540-17-0x0000000073240000-0x0000000073690000-memory.dmp

Filesize
4.3MB

Download
memory/4540-18-0x0000000073240000-0x0000000073690000-memory.dmp

Filesize
4.3MB

Download
memory/4540-19-0x0000000073240000-0x0000000073690000-memory.dmp

Filesize
4.3MB

Download
memory/4540-20-0x00000000037A0000-0x00000000037AC000-memory.dmp

Filesize
48KB

Download
memory/4540-21-0x0000000073240000-0x0000000073690000-memory.dmp

Filesize
4.3MB

Download
memory/4540-22-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-23-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-12-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-8-0x00000000037A0000-0x00000000037AC000-memory.dmp

Filesize
48KB

Download
memory/4540-31-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-28-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-29-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-30-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-27-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-32-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-33-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-34-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-26-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-38-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-39-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/4540-40-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads