12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782

General

Target

12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe
Size

6.0MB
MD5

d6cbed3d06525029fdbc23c3a5aebf6b
SHA1

829dcf6eb1e71ef35dcabf6c32b8a7b16e765308
SHA256

12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782
SHA512

8a52c77a89d6b5bab9d1b47dcc2ed36194c5db22ef17e06faed7e2ad08dcd12c32e2e569c51c6c9184ad84d00d9827c99a100f719b2ba974d488a3677037bb00
SSDEEP

98304:c0G1E13HhStHxV8ItdWEZ3Xy3cB27OgUWZHwuS2JBAUZL/:nGxV8It/JiY2sWpJVb

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe

pid process

3760 12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3760-2-0x0000000001000000-0x000000000100B000-memory.dmp	upx
behavioral2/memory/3760-1-0x0000000001000000-0x000000000100B000-memory.dmp	upx
behavioral2/memory/3760-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-49-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-20-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-9-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/3760-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe

description ioc process

File opened for modification \??\PhysicalDrive0 12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe

pid	process
3760	12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe
3760	12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe
3760	12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe

description	pid	process	target process
PID 3760 wrote to memory of 1076	3760	12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe	msedge.exe
PID 3760 wrote to memory of 1076	3760	12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe
"C:\Users\Admin\AppData\Local\Temp\12524fb4a494340c1d69cf4dd32f76b0748c9ec03e2383eeab229fd215f64782.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e
2⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4088,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
1⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3584,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=4788 /prefetch:1
1⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3956,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:1
1⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=3848,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:1
1⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5432,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:8
1⤵
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5448,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
1⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5964,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:1
1⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6108,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6660 /prefetch:1
1⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5164,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:1
1⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6680,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=6684 /prefetch:8
1⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6740,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:1
1⤵
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib
Filesize
1.5MB

MD5
ef48d7cc52338513cc0ce843c5e3916b

SHA1
20965d86b7b358edf8b5d819302fa7e0e6159c18

SHA256
835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8

SHA512
fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\·½°¸.ini
Filesize
10KB

MD5
b6bffed88dc920f4daccf1a83dbf7f8b

SHA1
9d6e4a7b272cb725a143a588e1fe7b0ca6374b0b

SHA256
88e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b

SHA512
d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\·½°¸.ini
Filesize
8KB

MD5
1d67dafae0fcabbdc7ffaa3095ca3b61

SHA1
6ea71d27c8bf64ff601585c961a65c1adc9d7775

SHA256
51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e

SHA512
b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt
Filesize
204B

MD5
1f176fd422d932b3f73c59cd0e8a4d0b

SHA1
e944c5a2805bb8809ddef9402304a12e6d3a3751

SHA256
f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e

SHA512
7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini
Filesize
64B

MD5
49f36aa007f23eb6c74c4a2a1a3a33b1

SHA1
24bc012bf366135ed5b87fa1fae78d5a2995536f

SHA256
2454bb119c52184d858ad28c30a7178102ede54731a482b7168f1528516dd4cb

SHA512
6788124e3da25d19c0acc3f188d6e25c1eee4aaa3df0ba1aeac17a64eca3b487e6de745ad38d47aa9fa03ce1d55c7172cfd872831034da3d7aea86e88a449474

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini
Filesize
211B

MD5
be1ed890b76305de558c92cdec4ac2bb

SHA1
f9886e1bcb55dcfcb06294141496d8ac9eb7e014

SHA256
bad4ee5b9b63fd12da271a13eb1a7120a58ee3c5a4f95daef51fab68b87ba6cb

SHA512
0060156b4a7fb18c5a1fd2018fe69d3a533e5c3b8d1f14920bfd6ab88ffedb799901a635a186e35f2aa605d3bcc502142363b63aad202b3928e77180e6d56dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini
Filesize
225B

MD5
0e66900340fc19323c256461904893d9

SHA1
daf382f14a93f5cc7a839f0d2914a7fe699cbbee

SHA256
3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10

SHA512
2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8

Download Submit
memory/3760-20-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-50-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/3760-49-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-0-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/3760-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-9-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-53-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/3760-55-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3760-54-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/3760-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-104-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/3760-103-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/3760-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3760-1-0x0000000001000000-0x000000000100B000-memory.dmp

Filesize
44KB

Download
memory/3760-2-0x0000000001000000-0x000000000100B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads