148f10ab7d09aad597800b12f1ddf3965f4d693c092771554aa286b63a32d3c0

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_2_/bdrcdl.exe
Size

1.0MB
MD5

bb0db8559e5bd559870ac21bfae3d9b6
SHA1

8d8f4dff84f247020acdd28bc25af734cd58c1e5
SHA256

535caa0d8cb5de8c9ca3ecd52aef62bc708a7e9369adb1998f75dd26e60bbd42
SHA512

4a23e499c1af117fbef94c45aea88c47a45b7fc9b26e4e66ac7dbad7812575016473fa5f3384c6ad6c40088e53bef5e780924d797e597a14942fdd00e9df83a2
SSDEEP

24576:4R8EovXQZ9kPiNZxJa2D6sA5ctfwX6ShvB8pcGccpccUccL7cc2ccOcc9cc4Vcbc:ELoM42usyX/hvWcGccpccUccL7cc2ccJ

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bdrcdl.exe
File opened for modification	\??\PhysicalDrive0	BugReport.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2740	BugReport.exe
2740	BugReport.exe
2740	BugReport.exe
2740	BugReport.exe
2740	BugReport.exe
2740	BugReport.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2024	bdrcdl.exe
Token: SeShutdownPrivilege	2740	BugReport.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2740	2024	bdrcdl.exe	28
PID 2024 wrote to memory of 2740	2024	bdrcdl.exe	28
PID 2024 wrote to memory of 2740	2024	bdrcdl.exe	28
PID 2024 wrote to memory of 2740	2024	bdrcdl.exe	28

C:\Users\Admin\AppData\Local\Temp\$_2_\bdrcdl.exe
"C:\Users\Admin\AppData\Local\Temp\$_2_\bdrcdl.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\$_2_\BugReport.exe
  bugreport /silence /buginfo:00000490:00000498:04EEEC80:2024
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Baidu\Common\Global.db

Filesize
52B

MD5
3eb625808e00d419868989c37b89baff

SHA1
30e3c1efb93672502b89790dc080d33ef3dbb8ab

SHA256
bdbc21dd3d8505270f9e4afa487ea90f53b6f0a2c109a1690013fa8070c8bd8d

SHA512
755784065cd52f2bf0d1b9a99f925295804e938a51dd7012b69d2d731d6b5dc298956f9ad2fac56a9425d9dafa3bc6a46fdbb60bdfce8dc1f35302101aa50920

Download Submit
memory/2024-0-0x0000000000080000-0x0000000000093000-memory.dmp

Filesize
76KB

Download
memory/2024-2-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2024-4-0x0000000000290000-0x00000000002FA000-memory.dmp

Filesize
424KB

Download
memory/2024-6-0x0000000002130000-0x0000000002166000-memory.dmp

Filesize
216KB

Download
memory/2024-8-0x0000000003130000-0x0000000003222000-memory.dmp

Filesize
968KB

Download
memory/2024-17-0x0000000004B90000-0x0000000004C21000-memory.dmp

Filesize
580KB

Download
memory/2740-25-0x0000000002680000-0x00000000026EA000-memory.dmp

Filesize
424KB

Download