cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8

Analysis

max time kernel
142s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
Size

1.9MB
MD5

863d307dd132c2a7502946280257e058
SHA1

f7ec3a87c5e4cb87ec39e1b62b741b8e45eab1ba
SHA256

cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8
SHA512

1575d8c638038a4ae3b46913e874f3c4a50a45f1de1cc4527afb7853b0e683d336ecf879198c41add1f7c59056c59892754603317bc1dcd2e6d3287105d5f862
SSDEEP

49152:E6tTHSd+IGgCNiJrAVja0W0iVwZJOorqGW:E8q+I6NQrS80iVwTjr7W

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4148	Bugreport-1310826.dll

Loads dropped DLL 1 IoCs

pid	Process
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1212-0-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral2/memory/1212-33-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-17-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-41-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-49-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-52-0x0000000002DF0000-0x0000000002E62000-memory.dmp	upx
behavioral2/memory/1212-51-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-45-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-39-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-37-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-35-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-31-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-29-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-28-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-26-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-50-0x0000000002DF0000-0x0000000002E62000-memory.dmp	upx
behavioral2/memory/1212-23-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-21-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-19-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-15-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-13-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-47-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-11-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-43-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-9-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-8-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-6-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-55-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral2/memory/1212-56-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral2/memory/1212-58-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral2/memory/1212-59-0x0000000002DF0000-0x0000000002E62000-memory.dmp	upx
behavioral2/files/0x00070000000234ba-66.dat	upx
behavioral2/memory/1212-67-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral2/memory/4148-69-0x0000000000400000-0x0000000000442200-memory.dmp	upx
behavioral2/memory/4148-87-0x0000000000400000-0x0000000000442200-memory.dmp	upx
behavioral2/memory/1212-180-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral2/memory/1212-276-0x0000000000400000-0x00000000008EF200-memory.dmp	upx
behavioral2/memory/1212-286-0x0000000000400000-0x00000000008EF200-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bugreport-1310826.dll

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
4148	Bugreport-1310826.dll

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 4148	1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe	88
PID 1212 wrote to memory of 4148	1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe	88
PID 1212 wrote to memory of 4148	1212	cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe	88

C:\Users\Admin\AppData\Local\Temp\cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe
"C:\Users\Admin\AppData\Local\Temp\cf5e1e2cce6d86301a595aa315fa919f385e1111f11057f2055d1802767875f8.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\data\Bugreport-1310826.dll
  C:\Users\Admin\AppData\Local\Temp\data\Bugreport-1310826.dll Bugreport %E9%AA%A8%E5%A4%B4QQ%E9%99%8C%E7%94%9F%E7%A9%BA%E9%97%B4%E7%95%99%E7%97%95%E8%B5%9E%20
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\Bugreport-1310826.dll

Filesize
82KB

MD5
b03a141036cb4e2bb0b5501e3f95fd8d

SHA1
cbc5a9a10b75ad292fd11ddd8a865987e710429e

SHA256
6a40fdde989da032b7fcf575184907ef04cf145ae132ee8bd973628121d77f94

SHA512
33a544c10919b9a4f016735b3a3f8659281fa06fb0da7a91ede0bb12c52c28ed58b605ae98cba469bd0bfc67b02692fbb49c7d1ba0a7dba4e4df380e036705b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

Filesize
114B

MD5
0ff667932e31a9fbc36cf42807c3ee83

SHA1
e34531ce173b11c340986720c858ab4383af93b9

SHA256
f5f723c76d0c7fe4916ef33ffd62621e88cd83a2331ce3c178c3e05ace70288d

SHA512
4cfdb31cb3589b6105493997e7dda37c50f6f3f650207647e9af0c5bfd13e28c854f43ac79565b799d732d49effc649283cd5a14c14962a3456d3b19693f3564

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

Filesize
133B

MD5
2ed5b8cb96f07059db005a7d2330c068

SHA1
f522e9e21ba6ea2eed1cb126eeeec3081619dc3b

SHA256
8b07da021071c82a55287184a611ae758aa87c5ad28246f6c37c85485595de5d

SHA512
e8683b7d16ae160a377e902392b9ce1ee7e66e06b3250cd30dffaa80803453e4bebf90db6b5035cb8521446e3fe676745b6c73b759895db0d5e07da628c601bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\ÕËºÅÁÐ±í.PLFX

Filesize
548B

MD5
c86b5d4573b5033f5aa44e574219923d

SHA1
e69d2a26235abbbfd483910e9a4064042a12fa96

SHA256
0563973d5e68d56173f00d7b07defcab4ba648424d7a200db1fa230f7be10783

SHA512
d36784361b0ff4b7685081b30a4344ec3a38c4e9ebe8b17d18be176c94319328900e48901ca9b55dc63b5eaca949c9c35d09e84e032e0e0f7cd6a26c49b5801e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

Filesize
724KB

MD5
a96fbd5e66b31f3d816ad80f623e9bd9

SHA1
4eda42260bd3eb930cd4eafd7d15c6af367bcf18

SHA256
2e67ba278646fde95bb614dcbcc7da1c6bf7976c918b2c6ad3d78640000326f3

SHA512
43921107313775ea14b1bd33cf758c13798f4fa1c1074771c1c96b1b43b98f3416d249ed8ab3171383772d0054829c3754a91b5e94135f1df6d67a76f599c80e

Download Submit
memory/1212-35-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-43-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-51-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-45-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-39-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-37-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-0-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/1212-31-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-29-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-28-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-26-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-50-0x0000000002DF0000-0x0000000002E62000-memory.dmp

Filesize
456KB

Download
memory/1212-23-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-21-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-19-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-15-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-13-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-47-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-11-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-52-0x0000000002DF0000-0x0000000002E62000-memory.dmp

Filesize
456KB

Download
memory/1212-9-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-6-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-55-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/1212-56-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/1212-58-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-59-0x0000000002DF0000-0x0000000002E62000-memory.dmp

Filesize
456KB

Download
memory/1212-49-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-67-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/1212-286-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/1212-41-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-17-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-276-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/1212-89-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/1212-33-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1212-180-0x0000000000400000-0x00000000008EF200-memory.dmp

Filesize
4.9MB

Download
memory/4148-87-0x0000000000400000-0x0000000000442200-memory.dmp

Filesize
264KB

Download
memory/4148-69-0x0000000000400000-0x0000000000442200-memory.dmp

Filesize
264KB

Download