9ad5b6561b59d7d09dfa13f8348182ccb328102223a7c6707b4757952d9f4d98

Analysis

max time kernel
40s
max time network
46s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 13:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c37db88b9bdfbd4620104f12f8860a9d.exe
Size

440KB
MD5

c37db88b9bdfbd4620104f12f8860a9d
SHA1

7ff5dd22c38f392808f5112183105c7620cf6ff1
SHA256

9ad5b6561b59d7d09dfa13f8348182ccb328102223a7c6707b4757952d9f4d98
SHA512

c674beb784c5346101e790b73d75e67665c9370644b85a6378730e5a32a79820b2ef6bfe1ae2f4bee83384fac21ce22e7ef46f7355f8c412aad81ecebb735b30
SSDEEP

12288:6XCc27a9mK2NDzeSEMtLOKQ82UwR36RRCDPcILs8o:gozK2NDSSBzQ82BR36RsDPL9o

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2488	ic7.exe
2840	1EuroP.exe
2832	2IC.exe
2512	3E4U - Bucks.exe
2392	6tbp.exe
2472	IR.exe
2920	6ufv.exe

Loads dropped DLL 44 IoCs

pid	Process
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2488	ic7.exe
2488	ic7.exe
2488	ic7.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2840	1EuroP.exe
2840	1EuroP.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2832	2IC.exe
2832	2IC.exe
2832	2IC.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2512	3E4U - Bucks.exe
2512	3E4U - Bucks.exe
2512	3E4U - Bucks.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2972	c37db88b9bdfbd4620104f12f8860a9d.exe
2392	6tbp.exe
2392	6tbp.exe
2392	6tbp.exe
2472	IR.exe
2472	IR.exe
2472	IR.exe
2704	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe
2704	rundll32.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
1756	rundll32.exe
1756	rundll32.exe
1756	rundll32.exe
1756	rundll32.exe
2760	WerFault.exe
2472	IR.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016ced-79.dat	upx
behavioral1/memory/2472-72-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2472-123-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tyeguqewidumu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\atus40ub.dll\",Startup"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	2IC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	2512	WerFault.exe	31

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IR.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2704	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2832	2IC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2392	6tbp.exe
2704	rundll32.exe
1756	rundll32.exe
2472	IR.exe
2472	IR.exe
2472	IR.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2488	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	28
PID 2972 wrote to memory of 2488	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	28
PID 2972 wrote to memory of 2488	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	28
PID 2972 wrote to memory of 2488	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	28
PID 2972 wrote to memory of 2488	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	28
PID 2972 wrote to memory of 2488	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	28
PID 2972 wrote to memory of 2488	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	28
PID 2972 wrote to memory of 2840	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	29
PID 2972 wrote to memory of 2840	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	29
PID 2972 wrote to memory of 2840	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	29
PID 2972 wrote to memory of 2840	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	29
PID 2972 wrote to memory of 2840	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	29
PID 2972 wrote to memory of 2840	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	29
PID 2972 wrote to memory of 2840	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	29
PID 2972 wrote to memory of 2832	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	30
PID 2972 wrote to memory of 2832	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	30
PID 2972 wrote to memory of 2832	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	30
PID 2972 wrote to memory of 2832	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	30
PID 2972 wrote to memory of 2832	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	30
PID 2972 wrote to memory of 2832	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	30
PID 2972 wrote to memory of 2832	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	30
PID 2972 wrote to memory of 2512	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	31
PID 2972 wrote to memory of 2512	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	31
PID 2972 wrote to memory of 2512	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	31
PID 2972 wrote to memory of 2512	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	31
PID 2972 wrote to memory of 2512	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	31
PID 2972 wrote to memory of 2512	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	31
PID 2972 wrote to memory of 2512	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	31
PID 2972 wrote to memory of 2392	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	32
PID 2972 wrote to memory of 2392	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	32
PID 2972 wrote to memory of 2392	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	32
PID 2972 wrote to memory of 2392	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	32
PID 2972 wrote to memory of 2392	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	32
PID 2972 wrote to memory of 2392	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	32
PID 2972 wrote to memory of 2392	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	32
PID 2972 wrote to memory of 2472	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	33
PID 2972 wrote to memory of 2472	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	33
PID 2972 wrote to memory of 2472	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	33
PID 2972 wrote to memory of 2472	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	33
PID 2972 wrote to memory of 2472	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	33
PID 2972 wrote to memory of 2472	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	33
PID 2972 wrote to memory of 2472	2972	c37db88b9bdfbd4620104f12f8860a9d.exe	33
PID 2392 wrote to memory of 2704	2392	6tbp.exe	34
PID 2392 wrote to memory of 2704	2392	6tbp.exe	34
PID 2392 wrote to memory of 2704	2392	6tbp.exe	34
PID 2392 wrote to memory of 2704	2392	6tbp.exe	34
PID 2392 wrote to memory of 2704	2392	6tbp.exe	34
PID 2392 wrote to memory of 2704	2392	6tbp.exe	34
PID 2392 wrote to memory of 2704	2392	6tbp.exe	34
PID 2512 wrote to memory of 2760	2512	3E4U - Bucks.exe	35
PID 2512 wrote to memory of 2760	2512	3E4U - Bucks.exe	35
PID 2512 wrote to memory of 2760	2512	3E4U - Bucks.exe	35
PID 2512 wrote to memory of 2760	2512	3E4U - Bucks.exe	35
PID 2512 wrote to memory of 2760	2512	3E4U - Bucks.exe	35
PID 2512 wrote to memory of 2760	2512	3E4U - Bucks.exe	35
PID 2512 wrote to memory of 2760	2512	3E4U - Bucks.exe	35
PID 2704 wrote to memory of 1756	2704	rundll32.exe	36
PID 2704 wrote to memory of 1756	2704	rundll32.exe	36
PID 2704 wrote to memory of 1756	2704	rundll32.exe	36
PID 2704 wrote to memory of 1756	2704	rundll32.exe	36
PID 2704 wrote to memory of 1756	2704	rundll32.exe	36
PID 2704 wrote to memory of 1756	2704	rundll32.exe	36
PID 2704 wrote to memory of 1756	2704	rundll32.exe	36

C:\Users\Admin\AppData\Local\Temp\c37db88b9bdfbd4620104f12f8860a9d.exe
"C:\Users\Admin\AppData\Local\Temp\c37db88b9bdfbd4620104f12f8860a9d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\ic7.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\ic7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\1EuroP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\2IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\2IC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\3E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\3E4U - Bucks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 288
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\6tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\6tbp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\atus40ub.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\atus40ub.dll",iep
      4⤵
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1756
- C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\IR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2472
- - C:\Users\Admin\AppData\Roaming\6ufv.exe
    C:\Users\Admin\AppData\Roaming\6ufv.exe
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\c4ib5fma.bat
    3⤵
    PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\2IC.exe

Filesize
173KB

MD5
2882c37af731c8df231e0c29cb6f817e

SHA1
c5b10307f912e1a9f1d6924f57c49461537b27bd

SHA256
adcd797e58edbc65f709ea30c6dbdf8c8aaeade7184556926a1c2e0d85730ee4

SHA512
4cc3c3e02e55087d31461cb50ded0b5faafc894868577933ff6a9d221cb966e847913c372bbda061f3e006d6d4c22b4faa60dd86b28b357425859b8561c3207a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\3E4U - Bucks.exe

Filesize
27KB

MD5
5f6c6b5e491ac60e088adba6dd5791c2

SHA1
292f4b81b3eee53877c672faf540aceeb2fc881f

SHA256
b010d2d5cdee46b1b97b88aa48968ffd34f6e3e382b250c98f2e1a89c950e018

SHA512
59c15d1a3f8d14eb441bb6e187cd91eaa13114afa1d8220aa7d08e259ee28af6bab92258b624d9824944b1776f916b6b551f3c3be982262d28b5330c7ba28252

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5820.tmp\6tbp.exe

Filesize
128KB

MD5
de69f3b9033b6bb936e522c8df56b2f2

SHA1
3198f5216755c536fbd70158a0442d4eedbeac2c

SHA256
8a9d01cd55f50b7e0602396d947c9ec15f689daedc02d03782ecc350369178f0

SHA512
43bc9b6f91b5c5e425a525cabc1e5eb6bcc7b32e21855dc28ec03f2e420acb8c1559d3be1eb47f257138848553d4d07f6e64408ed62d9f2859cc160d01a2beb4

Download Submit
C:\Users\Admin\AppData\Roaming\c4ib5fma.bat

Filesize
154B

MD5
1b1ea232809886304a827007fea6be49

SHA1
c932d33373116f646bfefdefe5c2b1ed0cc26b09

SHA256
556a12a6035f137f454bc593d73de04b1b16f27a376684f0d9346a532c74384e

SHA512
58663cbe26d71f250c18187228cc5d9a05c54586ab99f817806b52bb80d05215d563d8f60b839b656970af7ef36acb86cd88e23743e22d5af1105dcac875f423

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5820.tmp\1EuroP.exe

Filesize
91KB

MD5
ce25e2751922f17c6c7f9fabef373dec

SHA1
19b921cd4198a1b918ace1e75a77824e18fdd090

SHA256
d0b23958bdb061757e72fc9fb1233be2e338a1c43c75bb036a65aa81838e980e

SHA512
db42449d633f30d1310f0e5bcd875fb3c9b5587731c80ecc4eaa8ba832b41931833a3b1b8386ff50fab29f786b6053ae2a02395ee925a55750d467c15c71ed83

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5820.tmp\IR.exe

Filesize
61KB

MD5
0e72f6e865433a1ba0bf143a1142b60d

SHA1
0ddb85c493f31c3915d01447ff2ed6b64c8840bf

SHA256
d303490f349958a3f8d077ec45844370994ebabe21e15f54b88c1dc3084742c4

SHA512
fe739de193d399c890d57cc0bcf9166a82b3015affc0e5bac537ebd4ce4fd4c5305b120a89f0084107096b867b552f2514467a3cd6c2a44c94d401985a6bb7b9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5820.tmp\ic7.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
\Users\Admin\AppData\Local\atus40ub.dll

Filesize
128KB

MD5
c14b8d37b4192374aa0c4556aab8b895

SHA1
272363f34b0f2ad78328a16d9e973e218a1e870d

SHA256
2d5ac20865b9dbac193dc80e6fd168f4d3dfc21eaded12b2346bfe2ffa72217a

SHA512
6873945f2e0357d914e0bf896fc7dff6b8939f64e1d7cab3ca42c8d4c5fd9da7fbbe17b4a2e873b545e9af6b6986e751a998e1a9c13c16c2885ce79c191e1624

Download Submit
memory/2392-99-0x00000000008B1000-0x00000000008BE000-memory.dmp

Filesize
52KB

Download
memory/2392-77-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2392-98-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2472-124-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2472-123-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2472-82-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2472-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2704-90-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2832-52-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/2832-45-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2840-60-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download