31307fd48576c3d1a61fbc70e6f7a63d39d903dea4b1a8d47089ad15ce3632a6

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 18:44

Target

Bypass-Tools/U952.exe
Size

481KB
MD5

bb621c35f2bccc16874fdbeb4bb3fe91
SHA1

d68138e1183320e08baa42c7e7b9f57ea868cb3d
SHA256

cbc3ba3c40a9c28ac01792fbf06256176bdfbcd9bcc11963d3bc44528924a4a3
SHA512

9c0a5a77a9a2d001cc94e94b710e14a88f60f34f940a21e30655703133cf187111243a75f8e315445b20ef23a1d2a8cffde70c6b7638b7fe488c6426093d2a99
SSDEEP

12288:+YSoGZKu26s2vEZZH+MJyVg5Qy5sZ0kVd3dffu:R3GZKu2N2vEZZH+MUVqjyZFNfu

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

U95.exe

pid process

1752 U95.exe
Loads dropped DLL 2 IoCs

Processes:

U952.exe

pid process

2972 U952.exe
2972 U952.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2972	U952.exe
2972	U952.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\U95.exe	vmprotect
behavioral5/memory/2972-8-0x0000000002720000-0x0000000002835000-memory.dmp	vmprotect
behavioral5/memory/1752-11-0x0000000000400000-0x0000000000515000-memory.dmp	vmprotect
behavioral5/memory/1752-12-0x0000000000400000-0x0000000000515000-memory.dmp	vmprotect
behavioral5/memory/1752-25-0x0000000000400000-0x0000000000515000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

U95.exe

description ioc process

File opened for modification \??\PhysicalDrive0 U95.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	U95.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

U95.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

U952.exe

description	pid	process	target process
PID 2972 wrote to memory of 1752	2972	U952.exe	U95.exe
PID 2972 wrote to memory of 1752	2972	U952.exe	U95.exe
PID 2972 wrote to memory of 1752	2972	U952.exe	U95.exe
PID 2972 wrote to memory of 1752	2972	U952.exe	U95.exe

\Users\Admin\AppData\Local\Temp\U95.exe
Filesize
456KB

MD5
88a02758a8359def232956ef028b2b77

SHA1
dd1fccb97d90f4aa00a2bed174dba1e4d9e87df4

SHA256
82fdfd5ae773400174f6ef910f63fb322dde38cc9ae39d1d009466bf28d4e0ff

SHA512
17c304840389e650479b9877882b955d7491c6a9b502b7957782f86c01c8b55c2e8435c8a6f0d353c8c166ecc98aa7435690e243631b9f9c64eabcf5da6b69dc

Download Submit
memory/1752-11-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1752-12-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1752-25-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2972-9-0x0000000002720000-0x0000000002835000-memory.dmp

Filesize
1.1MB

Download
memory/2972-8-0x0000000002720000-0x0000000002835000-memory.dmp

Filesize
1.1MB

Download