e4b7bcb99c192f64d4e6c3edabd664fc9ebe878910cf34cd835c7460cf975d97

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fm_client.exe
Size

341KB
MD5

dd72809749cda5dfc6f8c6cc34116fe1
SHA1

7bedda259c173e14bdde9eb7e243f14fe6bd2ad2
SHA256

34d76572949133ee9f785d4f4a9862a7b2c2cbe2174b4adfb53198c4972a2fc9
SHA512

7e92b3bd1bf8b4b87b956a2e7d5dd858fdea3712d78af02f34b1629192df278ede81aef3845eec1ea4297a4639f32af8df772439bc339ebc3cb2953f008a32d3
SSDEEP

6144:oekd9k7xS2fNBO+WFhEbkwPXRf6rIiTyTF1AUtrlL1AGEotio6v8m:oTQVz70hekwZGGp1tth5tio6vd

Score

7^/10

bootkit discovery persistence upx vmprotect

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral13/memory/2876-0-0x0000000000400000-0x00000000004E2000-memory.dmp	upx
behavioral13/memory/2876-52-0x0000000000400000-0x00000000004E2000-memory.dmp	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral13/memory/2316-46-0x0000000000400000-0x0000000001B78000-memory.dmp	vmprotect
behavioral13/memory/2316-47-0x0000000000400000-0x0000000001B78000-memory.dmp	vmprotect
behavioral13/memory/2316-48-0x0000000000400000-0x0000000001B78000-memory.dmp	vmprotect
behavioral13/memory/2316-49-0x0000000000400000-0x0000000001B78000-memory.dmp	vmprotect
behavioral13/memory/2316-50-0x0000000000400000-0x0000000001B78000-memory.dmp	vmprotect
behavioral13/memory/2316-83-0x0000000000400000-0x0000000001B78000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	fm_client.dll

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2316	fm_client.dll

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fm_client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fm_client.dll

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	fm_client.dll
2316	fm_client.dll

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2316	2876	fm_client.exe	29
PID 2876 wrote to memory of 2316	2876	fm_client.exe	29
PID 2876 wrote to memory of 2316	2876	fm_client.exe	29
PID 2876 wrote to memory of 2316	2876	fm_client.exe	29
PID 2316 wrote to memory of 2580	2316	fm_client.dll	30
PID 2316 wrote to memory of 2580	2316	fm_client.dll	30
PID 2316 wrote to memory of 2580	2316	fm_client.dll	30
PID 2316 wrote to memory of 2580	2316	fm_client.dll	30

C:\Users\Admin\AppData\Local\Temp\fm_client.exe
"C:\Users\Admin\AppData\Local\Temp\fm_client.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\fm_client.dll
  C:\Users\Admin\AppData\Local\Temp\fm_client.dll -HWND=524684
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BASE\CONFIG.DAT

Filesize
26KB

MD5
5887a7b9f02562b8ea84cc2edf8791ff

SHA1
035166226628d56ea5868a6615e94592b02ed72e

SHA256
6e49c61f3f27996e89357ac51b92ff3b760411f30e841ede96b2d13fc7e04e44

SHA512
ca0fa8125ff6310b5ca30b8ed79a42f23c31fcf8b565a15f3a43b7513ed83bc8051f0796f9a7dce9012b03acec4d7d7c3ec77b59d378a93f759d376aad72ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BASE\CONFIG.IDX

Filesize
8KB

MD5
f8c52aecf6d22da1b5f37663c56634aa

SHA1
fe3dbd9a5b5ef0421ddb26d57c5d76c53ff38a23

SHA256
9b85b2b77b171588d31834f5e854e2be826aa9be594faff9a1a8da8d889f5f42

SHA512
69159f20ece77794551170dc0e11a6647b2427829ea58ef9086dfed7a8207536049cdab67318c68eca07a1b56211b06c8742a1e817262322aea858d75d6216cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEMP\13040.BLB

Filesize
512B

MD5
b48fe921c96ce8f34e44bb06ca81c98f

SHA1
5d01fa302372006db2fd9cf60a9b25901bb12cbc

SHA256
0423e2964d0d99d7956178ec4fff1d8e15836e01a828f367a06c1c2e73a2e5e0

SHA512
236a0d7eaf45dc1c09b474330fa390326a746c3f9551d4e0cd14e47c380a0573dcf1a3a4514f49b21911d70de4ea4e66901889367b95a609b573f50ab1af1886

Download Submit
memory/2316-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2316-83-0x0000000000400000-0x0000000001B78000-memory.dmp

Filesize
23.5MB

Download
memory/2316-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2316-38-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2316-37-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2316-35-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2316-33-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2316-32-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2316-30-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2316-27-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-25-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2316-22-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2316-20-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2316-12-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2316-46-0x0000000000400000-0x0000000001B78000-memory.dmp

Filesize
23.5MB

Download
memory/2316-10-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2316-40-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2316-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2316-7-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2316-5-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2316-3-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2316-47-0x0000000000400000-0x0000000001B78000-memory.dmp

Filesize
23.5MB

Download
memory/2316-48-0x0000000000400000-0x0000000001B78000-memory.dmp

Filesize
23.5MB

Download
memory/2316-49-0x0000000000400000-0x0000000001B78000-memory.dmp

Filesize
23.5MB

Download
memory/2316-50-0x0000000000400000-0x0000000001B78000-memory.dmp

Filesize
23.5MB

Download
memory/2316-82-0x0000000000B8D000-0x0000000001223000-memory.dmp

Filesize
6.6MB

Download
memory/2316-42-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2316-2-0x0000000000B8D000-0x0000000001223000-memory.dmp

Filesize
6.6MB

Download
memory/2876-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2876-52-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2876-0-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download