39bb4676cd16997f2d86bdd451c37b0e0bf6e5d75e837e186a41f6c50eebd534

General

Target

乡巴佬CS登录器V3.5 [测试].exe
Size

1.9MB
MD5

c782a3edffde23f97403896a4e80ff81
SHA1

48d7ed6c5ebad5fed8bb1dda4c92288342bb83fb
SHA256

cb43d1edbb37c97b68b2a2eab066e4fa9f56ed04ae9a8d0e0ea1ba09273899b9
SHA512

2c8d3de2601226a2522cd89ee055e0b8beaf2b550b6e5f4ea9daa84b1751aa4c3318c65eeb9aef0eb8419fb0b83d247830d332bbe72d80736c8c4af47a85dbd7
SSDEEP

24576:ERGJvZko+Fheb9uxqsVBs77deWwUXGuBeYIXQ7deWwUXGujs1bZU2XX:RJvuo+FY8BEFIYo6Fja

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4752-9-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-8-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-0-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-5-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-41-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-42-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-40-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-38-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-35-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-34-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-29-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-27-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-26-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-23-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-21-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-19-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-17-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-11-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-4-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-1-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-31-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-15-0x0000000010000000-0x0000000010037000-memory.dmp	upx
behavioral2/memory/4752-13-0x0000000010000000-0x0000000010037000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

乡巴佬CS登录器V3.5 [测试].exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 乡巴佬CS登录器V3.5 [测试].exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

乡巴佬CS登录器V3.5 [测试].exe

description pid process

Token: SeDebugPrivilege 4752 乡巴佬CS登录器V3.5 [测试].exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

乡巴佬CS登录器V3.5 [测试].exe

pid process

4752 乡巴佬CS登录器V3.5 [测试].exe
4752 乡巴佬CS登录器V3.5 [测试].exe
4752 乡巴佬CS登录器V3.5 [测试].exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	乡巴佬CS登录器V3.5 [测试].exe

description	pid	process
Token: SeDebugPrivilege	4752	乡巴佬CS登录器V3.5 [测试].exe

pid	process
4752	乡巴佬CS登录器V3.5 [测试].exe
4752	乡巴佬CS登录器V3.5 [测试].exe
4752	乡巴佬CS登录器V3.5 [测试].exe

C:\Users\Admin\AppData\Local\Temp\乡巴佬CS登录器V3.5 [测试].exe
"C:\Users\Admin\AppData\Local\Temp\乡巴佬CS登录器V3.5 [测试].exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4752-9-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-8-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-0-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-5-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-41-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-42-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-40-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-38-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-35-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-34-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-29-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-27-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-26-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-23-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-21-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-19-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-17-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-11-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-4-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-1-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-31-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-15-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/4752-13-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing