cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
Size

1.9MB
MD5

863d307dd132c2a7502946280257e058
SHA1

f7ec3a87c5e4cb87ec39e1b62b741b8e45eab1ba
SHA256

cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8
SHA512

1575d8c638038a4ae3b46913e874f3c4a50a45f1de1cc4527afb7853b0e683d336ecf879198c41add1f7c59056c59892754603317bc1dcd2e6d3287105d5f862
SSDEEP

49152:E6tTHSd+IGgCNiJrAVja0W0iVwZJOorqGW:E8q+I6NQrS80iVwTjr7W

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1100	Bugreport-524574.dll

Loads dropped DLL 3 IoCs

pid	Process
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-0-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral1/memory/2624-8-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-5-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-6-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-10-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-50-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-49-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-48-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-46-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-44-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-42-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-40-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-38-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-36-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-34-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-32-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-30-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-28-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-26-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-24-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-22-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-20-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-18-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-16-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-14-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-12-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-52-0x00000000024D0000-0x0000000002542000-memory.dmp	upx
behavioral1/memory/2624-51-0x00000000024D0000-0x0000000002542000-memory.dmp	upx
behavioral1/memory/2624-55-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral1/memory/2624-56-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral1/memory/2624-57-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2624-59-0x00000000024D0000-0x0000000002542000-memory.dmp	upx
behavioral1/files/0x0007000000019803-65.dat	upx
behavioral1/memory/1100-74-0x0000000000400000-0x0000000000442200-memory.dmp	upx
behavioral1/memory/1100-92-0x0000000000400000-0x0000000000442200-memory.dmp	upx
behavioral1/memory/2624-133-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral1/memory/2624-219-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral1/memory/2624-359-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral1/memory/2624-438-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral1/memory/2624-522-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral1/memory/2624-7303-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral1/memory/2624-7304-0x00000000024D0000-0x0000000002542000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bugreport-524574.dll

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
1100	Bugreport-524574.dll

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 1100	2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe	32
PID 2624 wrote to memory of 1100	2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe	32
PID 2624 wrote to memory of 1100	2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe	32
PID 2624 wrote to memory of 1100	2624	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe	32

C:\Users\Admin\AppData\Local\Temp\cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
"C:\Users\Admin\AppData\Local\Temp\cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524574.dll
  C:\Users\Admin\AppData\Local\Temp\data\Bugreport-524574.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E9%99%8C%E7%94%9F%E7%A9%BA%E9%97%B4%E7%95%99%E7%97%95%E8%B5%9E%20
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

Filesize
113B

MD5
d4ff7a9a4d86d38bb9cf53e48f5a5a6d

SHA1
374447887401c5bae63352926a70201a9b1e72e7

SHA256
8b785273b451511c9a220f3b19a149b5650fdee01fc4ef3ee06f18a37e321b21

SHA512
ec97f271acde264434910ea3166f0d802ee84889daf466261f58a18ae1f68032edaadc3bc6d7a59d3564b5df9c586ef01a083ea0d957e8eb7cfc2f97d877aced

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

Filesize
133B

MD5
89058a7e470a0f43b03cf6c27d214354

SHA1
4900de8849a32baff7ff1fd7fcc38383e232004d

SHA256
1427778f8eb2161da2475cdde27bca41ed55d4f420c8f91cddd2c21d1c455a29

SHA512
810369cc87d184d2bc55f51879c6f1f8d590ea5030949ea916191db064c18f1d61f26ebd509aa1ef9e023dfe0c2372d4e7466ca9aa5646e32457d98c9fd22f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\ÕËºÅÁÐ±í.PLFX

Filesize
548B

MD5
529a2fe4ee9ee5472fbd979a5194ab49

SHA1
ef6ae909ba52d296ad928fa93ac1249b2e6c337e

SHA256
3ab2cd378825f3c7a672d76ca700fa42b17f520b8a6971b61d207307801694fb

SHA512
66b32c3bcc5c19a95c40ca7e3fcfade57b39135d853b313408f838a1dcabf5a0142d48d9bad8c037a122adbcb186f382f987c3b610535af308729627f47f67d1

Download Submit
\Users\Admin\AppData\Local\Temp\data\Bugreport-524574.dll

Filesize
82KB

MD5
0aae9f149384ddefaf19a2f292b8c8ad

SHA1
ef8c93f96f2b54066875ba2a23eb5515891b38a6

SHA256
c11ca4f594735ef256ac0bc17e03e96d3668687e36d72a007721845cc3ebad61

SHA512
ae67b1a87ca56c68e26a942a7563338f51c124e99422c5c258b89184b9404f0825b90679398afe5f5d96680c941bdfd1aec3672fb85a3f08575e9f17cdb71457

Download Submit
\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

Filesize
724KB

MD5
a96fbd5e66b31f3d816ad80f623e9bd9

SHA1
4eda42260bd3eb930cd4eafd7d15c6af367bcf18

SHA256
2e67ba278646fde95bb614dcbcc7da1c6bf7976c918b2c6ad3d78640000326f3

SHA512
43921107313775ea14b1bd33cf758c13798f4fa1c1074771c1c96b1b43b98f3416d249ed8ab3171383772d0054829c3754a91b5e94135f1df6d67a76f599c80e

Download Submit
memory/1100-92-0x0000000000400000-0x0000000000442200-memory.dmp

Filesize
264KB

Download
memory/1100-74-0x0000000000400000-0x0000000000442200-memory.dmp

Filesize
264KB

Download
memory/2624-40-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-55-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/2624-48-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-46-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-44-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-42-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-0-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/2624-38-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-36-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-34-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-32-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-30-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-28-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-26-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-24-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-22-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-20-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-18-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-16-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-14-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-12-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-52-0x00000000024D0000-0x0000000002542000-memory.dmp

Filesize
456KB

Download
memory/2624-51-0x00000000024D0000-0x0000000002542000-memory.dmp

Filesize
456KB

Download
memory/2624-49-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-56-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/2624-57-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-59-0x00000000024D0000-0x0000000002542000-memory.dmp

Filesize
456KB

Download
memory/2624-50-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-10-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-73-0x0000000005570000-0x00000000055B3000-memory.dmp

Filesize
268KB

Download
memory/2624-72-0x0000000005570000-0x00000000055B3000-memory.dmp

Filesize
268KB

Download
memory/2624-6-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-5-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-94-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2624-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2624-133-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/2624-219-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/2624-317-0x0000000005570000-0x00000000055B3000-memory.dmp

Filesize
268KB

Download
memory/2624-359-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/2624-438-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/2624-522-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/2624-7303-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/2624-7305-0x0000000005570000-0x00000000055B3000-memory.dmp

Filesize
268KB

Download
memory/2624-7304-0x00000000024D0000-0x0000000002542000-memory.dmp

Filesize
456KB

Download