bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3

General

Target

bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe
Size

6.0MB
MD5

47cc79fa25375e74b8c052b97d85da3d
SHA1

5f2f9506a1b4b7e71dfb3ece959ea61a63caedd5
SHA256

bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3
SHA512

474258107ba838a4a23bd770c2b7e2427d483de1acc4230d9aa2a888e3e188466ea5f5a586ccf71c386e85b96b3275312e95e907cccbf854d17ad6f69e56dcde
SSDEEP

98304:c0G1E13HhStHxV8ItdWEZ3Xy3cB27OgUWZHwuS2JBAUZLs:nGxV8It/JiY2sWpJVY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
824	bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/824-1-0x00000000028E0000-0x00000000028EB000-memory.dmp	upx
behavioral2/memory/824-2-0x00000000028E0000-0x00000000028EB000-memory.dmp	upx
behavioral2/memory/824-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-10-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-12-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-8-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-24-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-16-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-49-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/824-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
824	bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe
824	bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe
824	bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 3292	824	bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe	99
PID 824 wrote to memory of 3292	824	bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe	99

C:\Users\Admin\AppData\Local\Temp\bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe
"C:\Users\Admin\AppData\Local\Temp\bbfa173c4415e11bf7cb4b508f6b3bccf16e250c93041e22bd40d90880f6e9d3.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e
  2⤵
  PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=1424 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
1⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4628 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
1⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5144 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5552 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
1⤵
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=4916 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
1⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5568 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
1⤵
PID:712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4960 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4676 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

Filesize
1.5MB

MD5
ef48d7cc52338513cc0ce843c5e3916b

SHA1
20965d86b7b358edf8b5d819302fa7e0e6159c18

SHA256
835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8

SHA512
fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

Filesize
10KB

MD5
ba86c69f51c42ec6c3aca4239c897922

SHA1
d3df5ced33b93361c3c489c76450efc8051c8e88

SHA256
0e12d8c1dd9156ca810090a1f8020b6a5b708920040992e2dace1d9b579a0c69

SHA512
ceaf159b55ec95e10699fbd6c58ea4ff3af9e930b8e13a87ebcc169d3d2f9499b7f0516b177e872c26c3473f30e1bcf103601a38656eaae6ca30f143fda36fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

Filesize
8KB

MD5
1d67dafae0fcabbdc7ffaa3095ca3b61

SHA1
6ea71d27c8bf64ff601585c961a65c1adc9d7775

SHA256
51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e

SHA512
b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

Filesize
204B

MD5
1f176fd422d932b3f73c59cd0e8a4d0b

SHA1
e944c5a2805bb8809ddef9402304a12e6d3a3751

SHA256
f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e

SHA512
7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

Filesize
112B

MD5
b0ab3be3869ae8a1c26e2b5c0fc8b38d

SHA1
0daa91cf66b60abc70743677000fb6586933ad77

SHA256
16587a3e68adf4597dd0cd2ac9b51ee4f2eb91a2be898d68d119b389b51949b5

SHA512
0cc36b447a3bcd4d53a7a399a79b3f0284fbf69f451c55615c83a4827e401a4e8ba55789ee39f92d1c3f5125c9053d8ba0442d933cec9461671a74e10286ed63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

Filesize
148B

MD5
e1e6280dae673f63f94e598453de0be7

SHA1
8675868331128c6ef6295ae5fde8db834d5cbb98

SHA256
ecd1779bf311ffcd4a91e0355a37dbb3614aa97adf31eb122822f981c1cf2cf7

SHA512
d8227964bdb108dbf14f7206cb6d5b65a67746c9debe4af6b068f92fbb70d342bedfbc5a312aea5003a434b9b9c14b9ce98bdd46b56a69eecb7ecdde8ed7c2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

Filesize
225B

MD5
0e66900340fc19323c256461904893d9

SHA1
daf382f14a93f5cc7a839f0d2914a7fe699cbbee

SHA256
3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10

SHA512
2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8

Download Submit
memory/824-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-24-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-0-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/824-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-16-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-8-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-49-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-50-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/824-53-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/824-54-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/824-55-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/824-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-12-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-88-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/824-87-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/824-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-10-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/824-2-0x00000000028E0000-0x00000000028EB000-memory.dmp

Filesize
44KB

Download
memory/824-1-0x00000000028E0000-0x00000000028EB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads