af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54

General

Target

af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
Size

1.4MB
MD5

a9c11049f1ede0225dac68f96c37fdf3
SHA1

4f26c7ea18895ddf02e35ce376aaf48c04a4ce28
SHA256

af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54
SHA512

d7c2d2ad6bae2f1fd5518e2b5c33e59e8f642b2307bec75faff86e65c87f4dfff4b74f06f0ad31e9c4533f7b7acb6ad895d5ce2d88402bf1aac7543414718555
SSDEEP

24576:MfSDKK9C9pLmPET243ZlpZOTy+it8Po/olPhA8sEXSFjQG9xmreCmU+9i:YS1eV64Jelit8QAlPhfsq8jRISCk9i

Score

7^/10

bootkit persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	acprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2712 cmd.exe

pid	process
2712	cmd.exe

Loads dropped DLL 15 IoCs

Processes:

af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe

pid	process
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1968-0-0x00000000010E0000-0x0000000001258000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\broscfg.dll	upx
behavioral1/memory/1968-7-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-30-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-60-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-73-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-98-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-115-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-132-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-152-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-157-0x00000000010E0000-0x0000000001258000-memory.dmp	upx
behavioral1/memory/1968-158-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-169-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-170-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-185-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-184-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-190-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-189-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-197-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-195-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-207-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-208-0x0000000010000000-0x0000000010254000-memory.dmp	upx
behavioral1/memory/1968-209-0x00000000010E0000-0x0000000001258000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe

description ioc process

File opened for modification \??\PhysicalDrive0 af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1928 systeminfo.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe

pid	process
1928	systeminfo.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 2660	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2660	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2660	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2660	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2472	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2472	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2472	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2472	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2996	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2996	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2996	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2996	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2592	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2592	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2592	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2592	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2784	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2784	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2784	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2784	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2772	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2772	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2772	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2772	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	schtasks.exe
PID 1968 wrote to memory of 2712	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	cmd.exe
PID 1968 wrote to memory of 2712	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	cmd.exe
PID 1968 wrote to memory of 2712	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	cmd.exe
PID 1968 wrote to memory of 2712	1968	af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe	cmd.exe
PID 2712 wrote to memory of 1928	2712	cmd.exe	systeminfo.exe
PID 2712 wrote to memory of 1928	2712	cmd.exe	systeminfo.exe
PID 2712 wrote to memory of 1928	2712	cmd.exe	systeminfo.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe
"C:\Users\Admin\AppData\Local\Temp\af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /End /TN MicrosoftEdgeUpdateBrowserReplacementTask
2⤵
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /End /TN MicrosoftEdgeUpdateTaskMachineCore
2⤵
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /End /TN MicrosoftEdgeUpdateTaskMachineUA
2⤵
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /TN MicrosoftEdgeUpdateBrowserReplacementTask /F
2⤵
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /TN MicrosoftEdgeUpdateTaskMachineCore /F
2⤵
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /TN MicrosoftEdgeUpdateTaskMachineUA /F
2⤵
PID:2772

C:\Windows\system32\cmd.exe
cmd /c systeminfo & del /f /q "C:\Users\Admin\AppData\Local\Temp\af3150462eea98b5e3c7a8bc08ef62b7641d9fe96cc464c851fd74cebf87ee54.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:1928

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
6c5f260eaa2928b02ae04a70aa1301c5

SHA1
d0843e5273873ef9a90d69b6a4f2538141a0f884

SHA256
2172c1566fc1150fdf3987a58d8490a6bb62efd66adc56cc8b22e1573382f12f

SHA512
aa409a0ae0e9a2688750df677bafef4fe386083ca1c11ad050738caed854b5c389ba7ae283dc366b4ff3a20eb3f92d8725048726277b83cbe6651333cf371a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\broscfg.dll
Filesize
1.3MB

MD5
e7e63934509e4962ffe6662defb4153d

SHA1
9bb76af08ce49fe9b92ab7b7e08a94b61aff0f73

SHA256
fbe7a0ead89b2e4414ed8bdcbcf7f789fbf4644caa3dd59137a823f7d4ea930a

SHA512
6da4771a751eaa94cfd3613dd80fe0805cdb8df023f2abfa9c865449df8bedb96f7f25c2e9e33bac6f8e1e3d742553cd2b7d4eb8510849efe9b8957f48f2fd67

Download Submit
C:\Users\Admin\AppData\Local\TheWorld6\User Data\Default\Preferences
Filesize
10KB

MD5
f49633b4fee954a8a2b9d28a95e80418

SHA1
1325fb0a3599cc1f80b9f1aae97a45480714f2df

SHA256
decc9ca76393388ce377fa7ce106e777b4c6a89ca53e3266f47a1c094c032987

SHA512
fbd72da06f6b98dc4171c88455d021f9e870904b6e90fcfb5a634a97671ca589cabcbbf150af95b97b3d89e1bbde3fe7f8bf99d741d3ef76170e745cdcf336e3

Download Submit
C:\Users\Admin\AppData\Local\liebao\User Data\Default\Preferences
Filesize
9KB

MD5
d796ef88ddb5777a8f2bd311a20e2166

SHA1
b57233c01a308c7c9f91aa9dda4f2a4702f5c538

SHA256
de29d62f4700b3830cd784a21e93f8b832fe27fe7c86746aad8e0dafe8f21185

SHA512
4acf855a43bc2e8afe056217aaa5e3cd62fd7eeeed8b6fe10ccfc94f0fe7ab1a9ee9104636713d205371e3b68a15d9c3aa7cdd92ee60da9e1d253c0872d11583

Download Submit
memory/1968-157-0x00000000010E0000-0x0000000001258000-memory.dmp

Filesize
1.5MB

Download
memory/1968-170-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-73-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-98-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-115-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-132-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-30-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-152-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-0-0x00000000010E0000-0x0000000001258000-memory.dmp

Filesize
1.5MB

Download
memory/1968-158-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-169-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-60-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-7-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-185-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-184-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-190-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-189-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-197-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-195-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-207-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-208-0x0000000010000000-0x0000000010254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-209-0x00000000010E0000-0x0000000001258000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads