62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b

General

Target

62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
Size

15.5MB
MD5

21445b2984b5be0673ae1962f743f64f
SHA1

da7ddcf8452cec5df6f635f0c23e9a9109363b07
SHA256

62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b
SHA512

e84dd6746e0287a6b882f63526fcc5902c2714e8fc6187ed3f8f6ae6336903a4b0f11e17e918ab7f3afab3c0c9a2e18ef067ba68169bd0157cf96c10b1979dbc
SSDEEP

393216:AulgrK+BzVFWfHjvxLkuoptlXps6wr3KUTIiViiQd6c2DdZlgSwc165UbZBVepgU:AulgrK+BzVFWfHjvxLkuoptlXps1r3KZ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-0-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-1-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-2-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-44-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-11-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-9-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1988-7-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
1988	62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe

C:\Users\Admin\AppData\Local\Temp\62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe
"C:\Users\Admin\AppData\Local\Temp\62a681f9c75e1c21d08f9634d064f591af99ed019d91c45a42a6daf92245a27b.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dat\dat\._cache_大漠综合工具.exe

Filesize
1.8MB

MD5
2d6313a764ee4837c0fd29f5fc6d8400

SHA1
7dd49801129fed7ca0b03813faf60989e02882b9

SHA256
79ac2c4eccf51605a79723a551a82d319247f0fedb7c1042500a76b2ddd98e28

SHA512
21b82791f3ad190dcf57868241b552a4c76780052a4b8097ac17202a77af52829beb215b90f98e6734592d850325b144c4ee7269738818703d83ebbe8ed73cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat\dat\52.bmp

Filesize
680B

MD5
d3c17cf1142cebae11d0f71e1a7f351c

SHA1
b946a1642b7901490ea58904f31183d836ba46fd

SHA256
54bfc72888f5beaa99b5ebe80d2f00fdd57e3f1a043f7ee2e7875bf7fcf09ea0

SHA512
3e816def8acb4c69de3f971deb8a4be743ef4937a41662c509fbe4c66ddc795a0737a3431d6baa98240030cee073b38b5e21676e39f0f9897e573e5aa427f122

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat\dat\主训练图19.bmp

Filesize
500B

MD5
487a747cc9eaa12e71cfdd65f3abbd87

SHA1
bdc1aa685ead0c1a9ce95028a5fe5307b0e6296e

SHA256
db52fe3d4963df841bbc5df3f864b24ac6a730356bb6ae00f995cf6f05d95033

SHA512
9d158204f8200bbc523cfac29b9f3108c99b504c841f8a3b4b4299be230cd645a65d61794a08d08f775fe0ae1f4ad86590d98e63d74cc6c76d21864a0e2aeec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat\dat\商城点兑换2.bmp

Filesize
260B

MD5
077a4e92f30540bc4e828ad6e0b9dbaf

SHA1
1bb36b30da9e9455866777fe563e4bf677c39a89

SHA256
5020d0ed5042396a545ac4f42b8596e9fb6fada7448872367a2ac93e18b3ce19

SHA512
49a70b9531c46f636869bacb2766be65a38cb23a067b7966c217246e3c55023420a48b886638e29b45e8d30845e07d29b0863dc149823f21970e6968c404d36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat\dat\宝石矿.bmp

Filesize
932B

MD5
526b33d6e25e572c98c18b957de023c6

SHA1
696d80cce0b556a3985b10f0d1e420d6d8611b66

SHA256
0e4b9a772f643cbdac8a2b2581fa0f94ba6d8d5be18093d648f952d5e1f18070

SHA512
8f2e91ad42904e7d54aba4a08385ead93db2807f53ae8785b1934f9939f893f7ce06b4a6e314e76847d8b372ddfde175014ecbbd81427e96fa33121d612d3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat\dat\查看王城.bmp

Filesize
1KB

MD5
594424ef33848db9638a62f597fb59f8

SHA1
90ffd651bcf8ef5c4da46ae8040f1bde78b8f034

SHA256
c1ae2d1e03a11c86b69412f87ecd9435b0b557d8f81779ce85cf2ff495ba65e9

SHA512
cc83bc3c9a66c3625d45e98254a9eab3a041f4340933ea30662cd29521a1a4c89850839f89491a179b91ad516ffbd37a105e818739f48c9424ce98894d6c7865

Download Submit
C:\Users\Admin\AppData\Local\Temp\dat\士兵支援7.bmp

Filesize
500B

MD5
bbd38571891bddbb3c1a03db890fdcbb

SHA1
831eb3f2d76727ed638bd09993fa965106115780

SHA256
d963ea083cda0ab5d5dced506129a5a991b8cb78af32e44b6171c96111c63d24

SHA512
73aae33d056b9b159277f1935016d0e553d54c4b3c20cb3a1fb7cd829cef5aa8c837ecb99a925c74048e0dcb96b2dd8e99fbf56c8dfbb6f8cd4b4baf14afb6e6

Download Submit
\Users\Admin\AppData\Local\Temp\UnRAR.dll

Filesize
275KB

MD5
048e7dbf0f02c825ff6f657f6efe8455

SHA1
0b36c38e8ba2c066ae9d7389a8d9e2ef705efe6f

SHA256
2f014c514ee00b663911ac3819fe17bd2bc9de337ee03805c7a2ce7f1d1a466b

SHA512
e617b42b5511142be6e26c9f04b5d5e54e496844a60e9fdcda58a015c5255d459dbf775d238479666801579c85ada9d37feccd2a2564725b776fd134b495058c

Download Submit
memory/1988-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-0-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-11-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-9-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-7-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-44-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-2-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-1-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads