bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1

Analysis

max time kernel
82s
max time network
142s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe
Size

3.2MB
MD5

c52f5ca43480573ed5d4b5366fad2be0
SHA1

b3bec5af80d4f81f823a339229a6f4d5059498b7
SHA256

bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1
SHA512

1a57f394f1399da752592972a45790db00afdaed4b5e0d0e3f0ac371bb23a7706ad87849198ad57263ce4f67c1496a737eb333427f87d0e0c562387f1fa0f096

Score

8^/10

aspackv2 bootkit discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\ÉñÍ¾\bihustc.exe	aspack_v212_v242
\ÉñÍ¾\bihustc.exe	aspack_v212_v242
C:\ÉñÍ¾\bihustc.exe	aspack_v212_v242
\??\c:\ÉñÍ¾\bihustc.exe	aspack_v212_v242
\ÉñÍ¾\bihustc.exe	aspack_v212_v242
\ÉñÍ¾\bihustc.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

bihustc.exe

pid process

776 bihustc.exe
Deletes itself 1 IoCs

Processes:

bihustc.exe

pid process

776 bihustc.exe

pid	process
776	bihustc.exe

pid	process
776	bihustc.exe

Loads dropped DLL 4 IoCs

Processes:

bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exebihustc.exe

pid	process
1800	bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe
1800	bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe
776	bihustc.exe
776	bihustc.exe

Unexpected DNS network traffic destination 30 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	223.5.5.5

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exebihustc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe
File opened for modification	\??\PhysicalDrive0	bihustc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

bihustc.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main bihustc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exebihustc.exe

pid process

1800 bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe
776 bihustc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	bihustc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2008	AUDIODG.EXE
Token: 33	2008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2008	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exebihustc.exe

pid	process
1800	bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe
1800	bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe
776	bihustc.exe
776	bihustc.exe
776	bihustc.exe
776	bihustc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe

description	pid	process	target process
PID 1800 wrote to memory of 776	1800	bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe	bihustc.exe
PID 1800 wrote to memory of 776	1800	bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe	bihustc.exe
PID 1800 wrote to memory of 776	1800	bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe	bihustc.exe
PID 1800 wrote to memory of 776	1800	bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe	bihustc.exe

C:\Users\Admin\AppData\Local\Temp\bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe
"C:\Users\Admin\AppData\Local\Temp\bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800

\??\c:\ÉñÍ¾\bihustc.exe
"c:\ÉñÍ¾\bihustc.exe" MOV 1800 C:\Users\Admin\AppData\Local\Temp\bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:776

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ÉñÍ¾\±Ú»¢ÉñÍ¾C.lnk
Filesize
594B

MD5
b4d33e00270ca3a7dc7b66eab1cf0228

SHA1
f50123ba04804b6b8c4fb068473cec06730dc47c

SHA256
509a2ae905eddb6687129186da65b46d62a1b52e28ff720170c5805aee4cc159

SHA512
e7fbb24653b3fee1204c6b0c29e5156c83d0e4c96a2646e88c214dd8dd754866dcf26385a576f647a15fa1dc493efcf3bc7ac895dcb2adefd74be88e012ff2fe

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ÉñÍ¾\Ð¶ÔØ±Ú»¢ÉñÍ¾C.lnk
Filesize
602B

MD5
9f015d8fbfc58ebc19febbccb76a2923

SHA1
e33be423d6f36d0e7c0620479d5dc2e397a97b22

SHA256
8aa9ab8ad0ea3eeef249fb64f77028e0f77f476bc275be46fa83f0b9b7f5ec05

SHA512
9214614d8266de55c093d808c4ef69e22b9576e91d51f2902401d06cd4054b03d76a1f055ae5434b1a9cb3e3b1702813a9b1e55e2ae2abe2ddd07dc2dd09cc1e

Download Submit
C:\Users\Public\Desktop\±Ú»¢ÉñÍ¾C.lnk
Filesize
409B

MD5
f84550646130a88fa94139a229ec86b7

SHA1
ba198f73f39d1a321d612b8825a24a1285e611c4

SHA256
59b1a9a41e7535645c9c924cf938115987667bfe8d6f6910889f32e50aff3adc

SHA512
f1049682e2842b6ceb2c5cecdd78f412f04f645710c94582c3646933e0106c06f503547c7e4449d4c9dd3317dd45978bf8de6190532bc9e3355c302d2602d37f

Download Submit
C:\ÉñÍ¾\bihustc.exe
Filesize
3.2MB

MD5
c52f5ca43480573ed5d4b5366fad2be0

SHA1
b3bec5af80d4f81f823a339229a6f4d5059498b7

SHA256
bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1

SHA512
1a57f394f1399da752592972a45790db00afdaed4b5e0d0e3f0ac371bb23a7706ad87849198ad57263ce4f67c1496a737eb333427f87d0e0c562387f1fa0f096

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\LoginServerList.xml
Filesize
7KB

MD5
c39b6868c3dfdd813db1804d71d1b4ca

SHA1
ecd4dc6be0e4919adcd0370b4062fa3a840a576f

SHA256
055a8abebe2f2fc6bd9cf2d87bdcfcffdbf3c6563cddabb09840a4d126e361f6

SHA512
13beaa0edbe24f0c5a73b45be6c43e65b54f07443d8e234908e5fb06d7d24485c6a5d89366b15398dfd065fbc072c35957d2c635068ebc227707237b4f8effa7

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\mtdl_OEMSVRLIST1_tmp.dat
Filesize
7KB

MD5
c39b6868c3dfdd813db1804d71d1b4ca

SHA1
ecd4dc6be0e4919adcd0370b4062fa3a840a576f

SHA256
055a8abebe2f2fc6bd9cf2d87bdcfcffdbf3c6563cddabb09840a4d126e361f6

SHA512
13beaa0edbe24f0c5a73b45be6c43e65b54f07443d8e234908e5fb06d7d24485c6a5d89366b15398dfd065fbc072c35957d2c635068ebc227707237b4f8effa7

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\mtdl_OEMSVRLIST3_tmp.dat
Filesize
7KB

MD5
c39b6868c3dfdd813db1804d71d1b4ca

SHA1
ecd4dc6be0e4919adcd0370b4062fa3a840a576f

SHA256
055a8abebe2f2fc6bd9cf2d87bdcfcffdbf3c6563cddabb09840a4d126e361f6

SHA512
13beaa0edbe24f0c5a73b45be6c43e65b54f07443d8e234908e5fb06d7d24485c6a5d89366b15398dfd065fbc072c35957d2c635068ebc227707237b4f8effa7

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\mtdl_OEMSVRLIST4_tmp.dat
Filesize
7KB

MD5
c39b6868c3dfdd813db1804d71d1b4ca

SHA1
ecd4dc6be0e4919adcd0370b4062fa3a840a576f

SHA256
055a8abebe2f2fc6bd9cf2d87bdcfcffdbf3c6563cddabb09840a4d126e361f6

SHA512
13beaa0edbe24f0c5a73b45be6c43e65b54f07443d8e234908e5fb06d7d24485c6a5d89366b15398dfd065fbc072c35957d2c635068ebc227707237b4f8effa7

Download Submit
\??\c:\ÉñÍ¾\Setting\GameStartSetting.xml
Filesize
1KB

MD5
cb675e6b2f7085ba2af2b1c17fc0b4f0

SHA1
df50a8be72652acf399e1c50ac1fcce019c6ade5

SHA256
b59c9bc5f35ca2e747a5a67267ee3c467b3319262e9f51219e537f09562fcc65

SHA512
85e72a0554ff70d0233249bf4dd8509585ded52c4a6348fb6aa3144e2a14fc7750a65354e4614e917d8c7e9e483d1705ea674867fe09dc114e17f8a79054a6bb

Download Submit
\??\c:\ÉñÍ¾\bihustc.exe
Filesize
3.2MB

MD5
c52f5ca43480573ed5d4b5366fad2be0

SHA1
b3bec5af80d4f81f823a339229a6f4d5059498b7

SHA256
bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1

SHA512
1a57f394f1399da752592972a45790db00afdaed4b5e0d0e3f0ac371bb23a7706ad87849198ad57263ce4f67c1496a737eb333427f87d0e0c562387f1fa0f096

Download Submit
\ÉñÍ¾\bihustc.exe
Filesize
3.2MB

MD5
c52f5ca43480573ed5d4b5366fad2be0

SHA1
b3bec5af80d4f81f823a339229a6f4d5059498b7

SHA256
bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1

SHA512
1a57f394f1399da752592972a45790db00afdaed4b5e0d0e3f0ac371bb23a7706ad87849198ad57263ce4f67c1496a737eb333427f87d0e0c562387f1fa0f096

Download Submit
\ÉñÍ¾\bihustc.exe
Filesize
3.2MB

MD5
c52f5ca43480573ed5d4b5366fad2be0

SHA1
b3bec5af80d4f81f823a339229a6f4d5059498b7

SHA256
bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1

SHA512
1a57f394f1399da752592972a45790db00afdaed4b5e0d0e3f0ac371bb23a7706ad87849198ad57263ce4f67c1496a737eb333427f87d0e0c562387f1fa0f096

Download Submit
\ÉñÍ¾\bihustc.exe
Filesize
3.2MB

MD5
c52f5ca43480573ed5d4b5366fad2be0

SHA1
b3bec5af80d4f81f823a339229a6f4d5059498b7

SHA256
bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1

SHA512
1a57f394f1399da752592972a45790db00afdaed4b5e0d0e3f0ac371bb23a7706ad87849198ad57263ce4f67c1496a737eb333427f87d0e0c562387f1fa0f096

Download Submit
\ÉñÍ¾\bihustc.exe
Filesize
3.2MB

MD5
c52f5ca43480573ed5d4b5366fad2be0

SHA1
b3bec5af80d4f81f823a339229a6f4d5059498b7

SHA256
bbedadea5939a3485a101a7aa0acc28b9295f492741c2b9edff8672b755c0af1

SHA512
1a57f394f1399da752592972a45790db00afdaed4b5e0d0e3f0ac371bb23a7706ad87849198ad57263ce4f67c1496a737eb333427f87d0e0c562387f1fa0f096

Download Submit
memory/776-66-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/776-65-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/776-64-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/776-60-0x0000000000000000-mapping.dmp

Download
memory/1800-54-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1800-63-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/1800-57-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/1800-56-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download
memory/1800-55-0x0000000000400000-0x00000000008BB000-memory.dmp

Filesize
4.7MB

Download