85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 12:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
Size

1.8MB
MD5

803b1598849148840e7a7e087bd37b8b
SHA1

4d47bdee86da747cab6b639f26f8be38192a6068
SHA256

85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0
SHA512

b9f63791cde76d64570ca9b460a7fea3ebfd70db86075ba3fadc51efcffaa77ae6b044959a93ad559436e8a6797557566b18bb2d2825d062eab4d88b5eeca5bc
SSDEEP

49152:xsV2ll8xUi+yYrqguI0L8S7/pXhTykNljrPAVpTMSm:WV27cUPBqNIY8MCkLHuTMz

Score

8^/10

bootkit discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
296	Bugreport-459194.dll

Loads dropped DLL 5 IoCs

pid	Process
2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x0000000000400000-0x0000000000898200-memory.dmp	upx
behavioral1/memory/2488-55-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-53-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-57-0x0000000002910000-0x0000000002982000-memory.dmp	upx
behavioral1/memory/2488-56-0x0000000002910000-0x0000000002982000-memory.dmp	upx
behavioral1/memory/2488-51-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-49-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-45-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-40-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-35-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-36-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-33-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-31-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-28-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-23-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-24-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-21-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-17-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-16-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-14-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-12-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-8-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-6-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-5-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-48-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-42-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-60-0x0000000000400000-0x0000000000898200-memory.dmp	upx
behavioral1/memory/2488-61-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/2488-63-0x0000000002910000-0x0000000002982000-memory.dmp	upx
behavioral1/memory/2488-62-0x0000000000400000-0x0000000000898200-memory.dmp	upx
behavioral1/files/0x000700000001923b-67.dat	upx
behavioral1/memory/2488-71-0x0000000005460000-0x00000000058F9000-memory.dmp	upx
behavioral1/memory/3024-124-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-96-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-94-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-92-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-90-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-88-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-86-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-84-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-82-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-81-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-78-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/3024-75-0x0000000000400000-0x0000000000898200-memory.dmp	upx
behavioral1/memory/2488-74-0x0000000000400000-0x0000000000898200-memory.dmp	upx
behavioral1/memory/3024-126-0x0000000000400000-0x0000000000898200-memory.dmp	upx
behavioral1/memory/3024-127-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bugreport-459194.dll

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
296	Bugreport-459194.dll

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3024	2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe	31
PID 2488 wrote to memory of 3024	2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe	31
PID 2488 wrote to memory of 3024	2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe	31
PID 2488 wrote to memory of 3024	2488	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe	31
PID 3024 wrote to memory of 296	3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe	33
PID 3024 wrote to memory of 296	3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe	33
PID 3024 wrote to memory of 296	3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe	33
PID 3024 wrote to memory of 296	3024	85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe	33

C:\Users\Admin\AppData\Local\Temp\85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
"C:\Users\Admin\AppData\Local\Temp\85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe
  "C:\Users\Admin\AppData\Local\Temp\85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe" 2488
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\data\Bugreport-459194.dll
    C:\Users\Admin\AppData\Local\Temp\data\Bugreport-459194.dll Bugreport %E7%A7%92%E8%AF%84%E7%A7%92%20
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\Bugreport.ini

Filesize
80B

MD5
d9f8f8b7f478753aea96d95fd3cabaff

SHA1
ac6cb7f9d626b6f73fe94c5f290bfa3e116df626

SHA256
17c65f1c428f7413566fd7b60f47227182e57c74bb4e332659aff0117e7b8888

SHA512
21e55ba12b4ecf8dc04a4ae13915cf141d3cbdfab799c6ba217d16e2c6633a47ab415dc29bef4a76309913458f4c39cfd40df235d33b9b003e395b8b64639c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Bugreport_error.ini

Filesize
105B

MD5
b8cec2fa133f2b16f3f54da073a1e787

SHA1
2bffd9dd8e566adc8c333973601f9d530a26536a

SHA256
8280360b992ae955cc9de6561ee4cb286b188fcd556fada083515ece225c3739

SHA512
bc050a36998461124d6690edf227e24c37f0ac04e25a9888df2360dd2209a27a70b850474f75c529d7300c30c730c38ad6129286556ec19d6503b94d9c481536

Download Submit
\Users\Admin\AppData\Local\Temp\85d6c9ceac36c6e5ae4b49ab9dbd6bf86064952177d3e948d78a3ebad7ace0f0.exe

Filesize
1.8MB

MD5
087b3119b634a86514a955e230e41155

SHA1
22c14fa03ad31e6a74cbda5831f28888a54aab6b

SHA256
eab0f213629799c42a8e1c74acaacbb2a61c6624b22491ecc6d94cbdbcbf20c1

SHA512
000ee39747e121452aa12c1a01c36346143fbec1c7546dc8cedbbe58096389691e4018f59ccee069ca1c4c7a0d67a1e86ed1a52dd7d5e0952003d37d95acf242

Download Submit
\Users\Admin\AppData\Local\Temp\data\Bugreport-459194.dll

Filesize
168KB

MD5
5129a1b4bf5e150dfdd1ef40e6194105

SHA1
4abe7f777c10a6caa2162743f84fa2a9e512d798

SHA256
5ee3930b542d9f3c58f61af259e6cc4215dc77eebf125799c1d8f4dca8e76386

SHA512
da630d97489d59757d75f7ddd5157cba1313a372794205d8430ef88ed4e77e38dbd0da3098e6dd16c95b1c5e9bc307290b09a448e79db456e5d83850b23193c0

Download Submit
\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

Filesize
724KB

MD5
a96fbd5e66b31f3d816ad80f623e9bd9

SHA1
4eda42260bd3eb930cd4eafd7d15c6af367bcf18

SHA256
2e67ba278646fde95bb614dcbcc7da1c6bf7976c918b2c6ad3d78640000326f3

SHA512
43921107313775ea14b1bd33cf758c13798f4fa1c1074771c1c96b1b43b98f3416d249ed8ab3171383772d0054829c3754a91b5e94135f1df6d67a76f599c80e

Download Submit
memory/296-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/296-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2488-5-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-61-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-51-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-49-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-45-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-40-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-35-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-36-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-33-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-31-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-28-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-23-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-24-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-21-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-17-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-16-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-14-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-12-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-6-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-57-0x0000000002910000-0x0000000002982000-memory.dmp

Filesize
456KB

Download
memory/2488-48-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-42-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-60-0x0000000000400000-0x0000000000898200-memory.dmp

Filesize
4.6MB

Download
memory/2488-56-0x0000000002910000-0x0000000002982000-memory.dmp

Filesize
456KB

Download
memory/2488-63-0x0000000002910000-0x0000000002982000-memory.dmp

Filesize
456KB

Download
memory/2488-62-0x0000000000400000-0x0000000000898200-memory.dmp

Filesize
4.6MB

Download
memory/2488-71-0x0000000005460000-0x00000000058F9000-memory.dmp

Filesize
4.6MB

Download
memory/2488-74-0x0000000000400000-0x0000000000898200-memory.dmp

Filesize
4.6MB

Download
memory/2488-0-0x0000000000400000-0x0000000000898200-memory.dmp

Filesize
4.6MB

Download
memory/2488-55-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2488-53-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-75-0x0000000000400000-0x0000000000898200-memory.dmp

Filesize
4.6MB

Download
memory/3024-126-0x0000000000400000-0x0000000000898200-memory.dmp

Filesize
4.6MB

Download
memory/3024-88-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-86-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-84-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-82-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-81-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-78-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-90-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-127-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-92-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-142-0x0000000004F50000-0x0000000004F89000-memory.dmp

Filesize
228KB

Download
memory/3024-141-0x0000000004F50000-0x0000000004F89000-memory.dmp

Filesize
228KB

Download
memory/3024-94-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-96-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-124-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/3024-179-0x0000000004F50000-0x0000000004F89000-memory.dmp

Filesize
228KB

Download