e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a

General

Target

e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe
Size

2.0MB
MD5

3cb846a87f7680b3e2963d7ef3604db5
SHA1

f08030241fccc6b832468f607405d7a4e5c4e137
SHA256

e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a
SHA512

558bd9225e86251b31d55459cc267fec75ac2573e0f161c95b0dc765c6ef264f765af24f0390d020d53b37f57ee5812b75eb00d678f5f687794a6c372475dd54
SSDEEP

24576:zt6/EQTelL3j9Uvbq7Frn/WVZQC3qOazxjodGjeNittkpAVRTZIjDPG3ib3tuuXJ:z/Uvbq7UoC3gxVtIAV+RZuuJa0

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

update.dat

pid process

2420 update.dat
Loads dropped DLL 1 IoCs

Processes:

e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

pid process

2392 e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

pid	process
2420	update.dat

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2392-0-0x0000000010000000-0x00000000100EC000-memory.dmp	upx
behavioral1/memory/2392-2-0x0000000010000000-0x00000000100EC000-memory.dmp	upx
behavioral1/memory/2392-3-0x0000000010000000-0x00000000100EC000-memory.dmp	upx
behavioral1/memory/2392-4-0x0000000010000000-0x00000000100EC000-memory.dmp	upx
behavioral1/memory/2420-15-0x0000000010000000-0x00000000100EC000-memory.dmp	upx
behavioral1/memory/2392-18-0x0000000010000000-0x00000000100EC000-memory.dmp	upx
behavioral1/memory/2420-19-0x0000000010000000-0x00000000100EC000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exeupdate.dat

description	ioc	process
File opened for modification	\??\PhysicalDrive0	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe
File opened for modification	\??\PhysicalDrive0	update.dat

Drops file in System32 directory 1 IoCs

Processes:

e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\bioso.rom e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\bioso.rom	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

Modifies registry class 2 IoCs

Processes:

e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gplayer2016ls	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gplayer2016ls\ = "vBnCsDoDrBmAdL8JxDcNbJtDeNoBbJoDqFmBoDmF"	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

pid process

2392 e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exeupdate.dat

pid	process
2392	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe
2392	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe
2420	update.dat
2420	update.dat

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe

description	pid	process	target process
PID 2392 wrote to memory of 2420	2392	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe	update.dat
PID 2392 wrote to memory of 2420	2392	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe	update.dat
PID 2392 wrote to memory of 2420	2392	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe	update.dat
PID 2392 wrote to memory of 2420	2392	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe	update.dat
PID 2392 wrote to memory of 2420	2392	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe	update.dat
PID 2392 wrote to memory of 2420	2392	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe	update.dat
PID 2392 wrote to memory of 2420	2392	e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe	update.dat

C:\Users\Admin\AppData\Local\Temp\e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe
"C:\Users\Admin\AppData\Local\Temp\e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\update.dat
  C:\Users\Admin\AppData\Local\Temp\update.dat gxin e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bioso.rom

Filesize
36B

MD5
b6dbf15028931694b07c3faa118afdc4

SHA1
15b2b50ee33c693743788faf812a4ce1c06daf70

SHA256
6b82e8021f2c5f0aa24108baf0af905abaf18e6fdb54428958d6b4813014c69c

SHA512
0be944432d9a732723764c0032f79dff68df1f07dde219aed395b548ce6d48c3545e6e80c4e4cc031b6db90f01690e14e2944a0e5c58419058e1dd7bb1b9283f

Download Submit
\Users\Admin\AppData\Local\Temp\update.dat

Filesize
2.0MB

MD5
3cb846a87f7680b3e2963d7ef3604db5

SHA1
f08030241fccc6b832468f607405d7a4e5c4e137

SHA256
e3316a22cd2d9ac8d004a666ec37f6394dea725791e483790e543c95fea0680a

SHA512
558bd9225e86251b31d55459cc267fec75ac2573e0f161c95b0dc765c6ef264f765af24f0390d020d53b37f57ee5812b75eb00d678f5f687794a6c372475dd54

Download Submit
memory/2392-0-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/2392-2-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/2392-3-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/2392-4-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/2392-18-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/2420-15-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/2420-19-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads