Overview
overview
10Static
static
BS.exe
windows7_x64
10BS.exe
windows10_x64
10BuildS.exe
windows7_x64
10BuildS.exe
windows10_x64
10READS.exe
windows7_x64
10READS.exe
windows10_x64
10baseus_nowin.exe
windows7_x64
10baseus_nowin.exe
windows10_x64
10rbs.exe
windows7_x64
10rbs.exe
windows10_x64
10scan.exe
windows7_x64
1scan.exe
windows10_x64
1Analysis
-
max time kernel
152s -
max time network
77s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 09:41
Static task
static1
Behavioral task
behavioral1
Sample
BS.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
BS.exe
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
BuildS.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
BuildS.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
READS.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
READS.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
baseus_nowin.exe
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
baseus_nowin.exe
Resource
win10-en-20210920
Behavioral task
behavioral9
Sample
rbs.exe
Resource
win7-en-20211014
Behavioral task
behavioral10
Sample
rbs.exe
Resource
win10-en-20210920
Behavioral task
behavioral11
Sample
scan.exe
Resource
win7-en-20211014
Behavioral task
behavioral12
Sample
scan.exe
Resource
win10-en-20210920
General
-
Target
BS.exe
-
Size
53KB
-
MD5
dd8cf1022f30071d6454e56340384f24
-
SHA1
afa5ab499d41e91d1eae3427232460ebf6293d75
-
SHA256
b9b81fa1b1e8ff2c42b654855121c7b38d8a876ccfe8b43ac48825a33a748128
-
SHA512
55aa1b193a6e9a40b252e93fb5d4841ea9eb7da0350c8a053524682e9aab7ebb2e0a6b7a72876631b09eb5c1f49bb06dc2b3595eead4334fb122a6bb8bfc7b0e
Malware Config
Extracted
C:\how_to_back_files.html
href="behappy123456@cock.li
">behappy123456@cock.li
href="chinchoppa2299gayspilsss@yopmail.com">chinchoppa2299gayspilsss@yopmail.com</a>
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 5 1880 rundll32.exe 7 1880 rundll32.exe -
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
BS.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingApprove.crw => C:\Users\Admin\Pictures\PingApprove.crw.bbuild BS.exe File renamed C:\Users\Admin\Pictures\UnprotectReset.tiff => C:\Users\Admin\Pictures\UnprotectReset.tiff.bbuild BS.exe File opened for modification C:\Users\Admin\Pictures\AddDeny.tiff BS.exe File renamed C:\Users\Admin\Pictures\CheckpointResolve.tiff => C:\Users\Admin\Pictures\CheckpointResolve.tiff.bbuild BS.exe File renamed C:\Users\Admin\Pictures\CompleteTrace.tiff => C:\Users\Admin\Pictures\CompleteTrace.tiff.bbuild BS.exe File renamed C:\Users\Admin\Pictures\ConnectClose.png => C:\Users\Admin\Pictures\ConnectClose.png.bbuild BS.exe File renamed C:\Users\Admin\Pictures\SubmitCopy.crw => C:\Users\Admin\Pictures\SubmitCopy.crw.bbuild BS.exe File opened for modification C:\Users\Admin\Pictures\UnprotectReset.tiff BS.exe File renamed C:\Users\Admin\Pictures\WatchClose.raw => C:\Users\Admin\Pictures\WatchClose.raw.bbuild BS.exe File renamed C:\Users\Admin\Pictures\AddDeny.tiff => C:\Users\Admin\Pictures\AddDeny.tiff.bbuild BS.exe File opened for modification C:\Users\Admin\Pictures\CompleteTrace.tiff BS.exe File renamed C:\Users\Admin\Pictures\ResolveNew.tif => C:\Users\Admin\Pictures\ResolveNew.tif.bbuild BS.exe File opened for modification C:\Users\Admin\Pictures\CheckpointResolve.tiff BS.exe File renamed C:\Users\Admin\Pictures\MoveAdd.raw => C:\Users\Admin\Pictures\MoveAdd.raw.bbuild BS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
BS.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce BS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\BS.exe" BS.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
BS.exedescription ioc process File opened for modification C:\Program Files (x86)\desktop.ini BS.exe File opened for modification C:\Users\Public\Videos\desktop.ini BS.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini BS.exe File opened for modification C:\Users\Admin\Links\desktop.ini BS.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI BS.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini BS.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini BS.exe File opened for modification C:\Users\Public\Libraries\desktop.ini BS.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini BS.exe File opened for modification C:\Users\Admin\Documents\desktop.ini BS.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini BS.exe File opened for modification C:\Users\Public\Pictures\desktop.ini BS.exe File opened for modification C:\Users\Public\Music\desktop.ini BS.exe File opened for modification C:\Users\Public\Downloads\desktop.ini BS.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini BS.exe File opened for modification C:\Users\Admin\Music\desktop.ini BS.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini BS.exe File opened for modification C:\Users\Public\Documents\desktop.ini BS.exe File opened for modification C:\Users\Admin\Videos\desktop.ini BS.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini BS.exe File opened for modification C:\Users\Admin\Searches\desktop.ini BS.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini BS.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini BS.exe File opened for modification C:\Users\Public\desktop.ini BS.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini BS.exe File opened for modification C:\Users\Public\Desktop\desktop.ini BS.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini BS.exe -
Drops file in Program Files directory 64 IoCs
Processes:
BS.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\how_to_back_files.html BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCH98SP.POC BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Tags.accft BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\menu_arrow.gif BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\FAXEXT.ECF BS.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\how_to_back_files.html BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00564_.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105230.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXT BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_F_COL.HXK BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV.HXS BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195342.WMF BS.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18248_.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCNPST64.DLL BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EntityDataHandler.dll BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.XML BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORTS.ICO BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198020.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABELHM.POC BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASK.CFG BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105298.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200279.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.HOL BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF BS.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\how_to_back_files.html BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF BS.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\how_to_back_files.html BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187819.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00076_.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\TWLAY32.DLL BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTS.ICO BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Sales Pipeline.accdt BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7EN.LEX BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART9.BDR BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105376.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Media.accdt BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.DLL.IDX_DLL BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01044_.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF BS.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107358.WMF BS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
BS.exedescription pid process target process PID 1084 wrote to memory of 1880 1084 BS.exe rundll32.exe PID 1084 wrote to memory of 1880 1084 BS.exe rundll32.exe PID 1084 wrote to memory of 1880 1084 BS.exe rundll32.exe PID 1084 wrote to memory of 1880 1084 BS.exe rundll32.exe PID 1084 wrote to memory of 1880 1084 BS.exe rundll32.exe PID 1084 wrote to memory of 1880 1084 BS.exe rundll32.exe PID 1084 wrote to memory of 1880 1084 BS.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BS.exe"C:\Users\Admin\AppData\Local\Temp\BS.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {868c988d-ecf6-40cd-b1ab-8c5f0607dd95};C:\Users\Admin\AppData\Local\Temp\BS.exe;10842⤵
- Blocklisted process makes network request
- Modifies registry class