63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2

General

Target

63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe
Size

1.4MB
MD5

44f03aa6e9f8e6dd2559693582ed5778
SHA1

59d2bccb460b841aa562adabc04b8759cbd0b432
SHA256

63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2
SHA512

9057c16d33d1e7c912563dd0c6a4a127ab36e3ac28af39cb650c19d47b41715f3693d4b0a047ac113ae17847f5e29a829041070c643b253fc121881e66959638
SSDEEP

24576:lit/4ruZ0S7sMWE+bt0hKFXhzJ0WI3OTGgHAtHGRS4T6gigpgdCdg:M5ZZD7NBsFXhGWIOpHAHG8oYC6

Score

9^/10

bootkit oss_ak persistence upx

Malware Config

Signatures

detect oss ak 12 IoCs

oss ak information detected.

oss_ak

Processes:

resource	yara_rule
behavioral1/memory/1912-58-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-64-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-102-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-107-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-116-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-121-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-130-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-134-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-135-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-136-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-137-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff
behavioral1/memory/1912-138-0x0000000000400000-0x0000000000838200-memory.dmp	detect_ak_stuff

Executes dropped EXE 1 IoCs

Processes:

Bugreport-262558.dll

pid process

1600 Bugreport-262558.dll

pid	process
1600	Bugreport-262558.dll

Loads dropped DLL 2 IoCs

Processes:

63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe

pid	process
1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe
1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1912-0-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-1-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-4-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-37-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-53-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-52-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-49-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-47-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-45-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-42-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-40-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-34-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-54-0x0000000002600000-0x0000000002672000-memory.dmp	upx
behavioral1/memory/1912-55-0x0000000002600000-0x0000000002672000-memory.dmp	upx
behavioral1/memory/1912-31-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-29-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-25-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-24-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-22-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-19-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-17-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-15-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-10-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-11-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-8-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-3-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-2-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-58-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-60-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1912-62-0x0000000002600000-0x0000000002672000-memory.dmp	upx
behavioral1/memory/1912-64-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-102-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-107-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-116-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-121-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-130-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-134-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-135-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-136-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-137-0x0000000000400000-0x0000000000838200-memory.dmp	upx
behavioral1/memory/1912-138-0x0000000000400000-0x0000000000838200-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe

description ioc process

File opened for modification \??\PhysicalDrive0 63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe

pid process

1912 63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exeBugreport-262558.dll

pid	process
1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe
1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe
1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe
1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe
1600	Bugreport-262558.dll

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe

description	pid	process	target process
PID 1912 wrote to memory of 1600	1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe	Bugreport-262558.dll
PID 1912 wrote to memory of 1600	1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe	Bugreport-262558.dll
PID 1912 wrote to memory of 1600	1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe	Bugreport-262558.dll
PID 1912 wrote to memory of 1600	1912	63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe	Bugreport-262558.dll

C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe
"C:\Users\Admin\AppData\Local\Temp\63dda37804a7e693d0c29109a4820266cf1a3d71fe31365124dd37a543c4cea2.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262558.dll
C:\Users\Admin\AppData\Local\Temp\data\Bugreport-262558.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E7%A9%BA%E9%97%B4%E8%AE%BF%E5%AE%A2%E7%9B%91%E6%8E%A7%E6%8F%90%20
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini
Filesize
113B

MD5
5f6e15c1e9e6f5692e131222cc026a91

SHA1
9ebde1096802864802a53ea64269e2c000fbf624

SHA256
79249b50cb8da364ad4f0b76394ad587e6c45da314ee72c98057bf070afb61bc

SHA512
d9b12ce4df8c35e53233cc526d450f9bb9265d28129209247e891751b4ea51290572f35a393a1f811f18062bf2c136f9d971589873d9176169b14fd13dac1255

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini
Filesize
133B

MD5
6f9cbd7ce5b4f59737a3f10ed8fb632b

SHA1
bd592062b4bb145efaddcf164da6f64ad9b75844

SHA256
69d885a370e7311c792a4f56f341190be0ce19dc39eaee7f0f294ff717af4603

SHA512
7362014c048dc3b92c983fb3dc93fa8dd0938aea8a057aae6f93645de603cfe7d349cee16ef7d2e82548024157f1786f9758576385baf47533c5e454b6b1dd90

Download Submit
\Users\Admin\AppData\Local\Temp\data\Bugreport-262558.dll
Filesize
164KB

MD5
7fdb3cf6274195df5710ee4d4b8a79cd

SHA1
3066dd0d224310f2fb611bcb859830507d34bf29

SHA256
c02a8a03e0e9ea75d6d125afb2480b2d18df3aa6b01c4676b9e47c16a26e6fe2

SHA512
2fb62592a872a0e344fa6c7b73eafa393bd5c638b881bd38e087921adc42032a59b837826b5dea670124e7e9e877dc83d18645404fec146abda3afb56fc708df

Download Submit
memory/1600-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1600-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1912-54-0x0000000002600000-0x0000000002672000-memory.dmp

Filesize
456KB

Download
memory/1912-45-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-47-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-2-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-42-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-40-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-34-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-0-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-55-0x0000000002600000-0x0000000002672000-memory.dmp

Filesize
456KB

Download
memory/1912-31-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-29-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-25-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-24-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-22-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-19-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-58-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-15-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-10-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-11-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-137-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-49-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-17-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-60-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-62-0x0000000002600000-0x0000000002672000-memory.dmp

Filesize
456KB

Download
memory/1912-64-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-52-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-72-0x0000000004A40000-0x0000000004A78000-memory.dmp

Filesize
224KB

Download
memory/1912-53-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-78-0x0000000004A40000-0x0000000004A78000-memory.dmp

Filesize
224KB

Download
memory/1912-37-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-4-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-1-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-102-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-107-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-116-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-121-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-130-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-134-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-135-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-136-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download
memory/1912-3-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1912-138-0x0000000000400000-0x0000000000838200-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads