ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f

Analysis

max time kernel
151s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
Size

58KB
MD5

f6236d21c158204d0c13e9350167c3a4
SHA1

4b27e1bee248d264650bc92564d19b7cf09dc4cf
SHA256

ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f
SHA512

dec37dabd0bc7b1bcec3a31ab4ba37921c8fcaa5b57178162ef64b29327aa70aaadcaba196dcdd3e2709288f2c15ae316eac7eb901c5b0e92aff8acdfcc7bea8
SSDEEP

1536:Nxj4xoSW3p1PJgK/b2ydJa6mQLqPpN8I+vAq4MV2X:njzVrPeK6ydJfw7B7U0

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe

Executes dropped EXE 2 IoCs

pid	Process
3920	uninst.exe
5000	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\flash.scf	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lnkfiles\21.txt	cscript.exe
File created	C:\Program Files (x86)\Messenger\Messenger.bcm	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
File created	C:\Program Files (x86)\Messenger\taodwq.ico	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
File created	C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe	cscript.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe	cscript.exe
File created	C:\Program Files (x86)\Messenger\Ntype.exe	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\17.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\19.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\23.txt	cscript.exe
File created	C:\Program Files (x86)\Common Files\System\ado\myie.vbs	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
File created	C:\Program Files (x86)\lnkfiles\15.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\25.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\27.txt	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0001000000022e26-142.dat	nsis_installer_2
behavioral2/files/0x0001000000022e26-143.dat	nsis_installer_2
behavioral2/files/0x0003000000022e23-146.dat	nsis_installer_2
behavioral2/files/0x0003000000022e23-145.dat	nsis_installer_2

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bcm\ = "JSEFile"	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bcm	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 212	1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe	85
PID 1008 wrote to memory of 212	1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe	85
PID 1008 wrote to memory of 212	1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe	85
PID 1008 wrote to memory of 4080	1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe	87
PID 1008 wrote to memory of 4080	1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe	87
PID 1008 wrote to memory of 4080	1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe	87
PID 1008 wrote to memory of 3920	1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe	89
PID 1008 wrote to memory of 3920	1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe	89
PID 1008 wrote to memory of 3920	1008	ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe	89
PID 3920 wrote to memory of 5000	3920	uninst.exe	90
PID 3920 wrote to memory of 5000	3920	uninst.exe	90
PID 3920 wrote to memory of 5000	3920	uninst.exe	90

C:\Users\Admin\AppData\Local\Temp\ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe
"C:\Users\Admin\AppData\Local\Temp\ab62c668f938800a11bd92d3de247ed5d17076b0fa59a07cfb7c9884099c5b1f.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\Common Files\System\ado\myie.vbs"
  2⤵
  - Drops file in Program Files directory
  PID:212
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files (x86)\Messenger\messenger.bcm"
  2⤵
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\uninst.exe
  "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\ado\myie.vbs

Filesize
3KB

MD5
21626dc339a5b9b9fd192112f09c8bec

SHA1
d16cbdb26343739c802ce5726ff592a1ace1f260

SHA256
00602e5a43d451ce9defd2017bd0f90754c72bf2859691a8a4f2ebc9eda375fe

SHA512
9e8b56b5ef3dc27c5cb641b5f257e26eed707c5d1ba7862a4269a468e779019052cfcf874a80bfb665cbf1120f23c4aad9720e582168d713f414be6c6dfde8d6

Download Submit
C:\Program Files (x86)\Messenger\messenger.bcm

Filesize
8KB

MD5
89c54c6059b71e5f699598451a1923bc

SHA1
fc8cd7ade32cf2d2e900fe21c2b31258885c5c0a

SHA256
5a124ea3ab3d8f184d063c4d559a9423f69998d495f3786a33bf279a4d75be9f

SHA512
7e74848ee9903e4ccb531bf0374430553e05d8f202eb5d2cff07657eb013abdf72c4b2e304cd6b9f3f600b4e53f4bb13d4f39701e459da774553929c9d311847

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBEC3.tmp\System.dll

Filesize
11KB

MD5
5d186c26b28c0dd14e6eb78a755a2d1f

SHA1
e8f50ebf398da3bfa1242149ee205a7ad9935e66

SHA256
7f05c7d2408ec4b69287bbde91d18054075a448f11ffda4ba17d696e3b2d09e7

SHA512
c3453968867ce671542a69eb9881292f6f5ccf3a009cc55728905009f450e5711b2804c8b96ec39850d105b1819ff9faec6e8f2eb8f8b8bd625fdef817c84153

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBEC3.tmp\nsExec.dll

Filesize
6KB

MD5
3da7002fc1e78b7e63bcb56ce3319f82

SHA1
8ff3e1680f4ccb21b8ccbc4701080a386cf83976

SHA256
8dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4

SHA512
bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBEC3.tmp\nsExec.dll

Filesize
6KB

MD5
3da7002fc1e78b7e63bcb56ce3319f82

SHA1
8ff3e1680f4ccb21b8ccbc4701080a386cf83976

SHA256
8dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4

SHA512
bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBEC3.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrBEC3.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogou.ini

Filesize
126B

MD5
c99a30b483aabebb6e3443feae76732c

SHA1
a93e2263abcf087957ad566aa0dce921c3c82a45

SHA256
bed1d6665f1c26ab50001a88d3d584cb0ba7e1f07c60cddbdad9e384d7d70a6b

SHA512
c51aa00a452a03fa909234c50601260c01bd0283d77bf283ecaa2f682f529aafd76b0abce1e3395170bb46b93a640ce967b7283530b3841a0a0cbdeb429d4e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
35KB

MD5
f04c9c0409c49e0bbfdea891f4a781f0

SHA1
fd223f054b3e87f7348fe9c5d5a6f5bca66d28cb

SHA256
00bf832f4517d7c40fb8dc3aeb3850909c79a0a0686947206f9eb24ecc2e6763

SHA512
57359b2b7687733f5022b5952021b350f82d387b4d2e8988291dfdbc6966ce94ee3c0ea5a955bae4c190df70481c897447fac87a549f93084881f6b67789e474

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
35KB

MD5
f04c9c0409c49e0bbfdea891f4a781f0

SHA1
fd223f054b3e87f7348fe9c5d5a6f5bca66d28cb

SHA256
00bf832f4517d7c40fb8dc3aeb3850909c79a0a0686947206f9eb24ecc2e6763

SHA512
57359b2b7687733f5022b5952021b350f82d387b4d2e8988291dfdbc6966ce94ee3c0ea5a955bae4c190df70481c897447fac87a549f93084881f6b67789e474

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
35KB

MD5
f04c9c0409c49e0bbfdea891f4a781f0

SHA1
fd223f054b3e87f7348fe9c5d5a6f5bca66d28cb

SHA256
00bf832f4517d7c40fb8dc3aeb3850909c79a0a0686947206f9eb24ecc2e6763

SHA512
57359b2b7687733f5022b5952021b350f82d387b4d2e8988291dfdbc6966ce94ee3c0ea5a955bae4c190df70481c897447fac87a549f93084881f6b67789e474

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
35KB

MD5
f04c9c0409c49e0bbfdea891f4a781f0

SHA1
fd223f054b3e87f7348fe9c5d5a6f5bca66d28cb

SHA256
00bf832f4517d7c40fb8dc3aeb3850909c79a0a0686947206f9eb24ecc2e6763

SHA512
57359b2b7687733f5022b5952021b350f82d387b4d2e8988291dfdbc6966ce94ee3c0ea5a955bae4c190df70481c897447fac87a549f93084881f6b67789e474

Download Submit