bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1

Analysis

max time kernel
152s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
Size

45KB
MD5

020891f9564e88267b002a4731429b4b
SHA1

154b6231dc8866917a633cb02814047df7b21df3
SHA256

bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1
SHA512

47cd5b3e2d45f12e686e0686f52018fdce0bfa696a200e6f8b70c9023f3b9b1005c80b86bd8afa8f1ff301d957f9b0b8b8963b819e62f82bd95558c8ebd76f55
SSDEEP

768:r9FyRBrXcPo0LomyVXyEDel8CYk4HV8jr5AJFNcy259f5FwekD8V9LgctsWkc9B/:PyDjcPaRVEGtkMV8/CJFNcyE9bwe08Vf

Score

10^/10

persistence upx

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	boot.sys
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mtklefa = "{8CE2899B-5D7D-4AA0-E588-3E4DEE997D4E}"	boot.sys
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	boot.sys
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mtklefap = "{82B10E2E-1456-4059-EE92-D0419275DEA5}"	boot.sys
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ICFCHJHC = "{68DF520B-0B1C-0B9E-2AA9-40C565E73C92}"	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ndisrd.sys	boot.sys
File opened for modification	C:\Windows\SysWOW64\drivers\ndisrd.sys	boot.sys

Executes dropped EXE 4 IoCs

pid	Process
4316	Ijgjglla.exe
4832	boot.sys
4736	boot.sys
3972	ICFCHJHC.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022e22-139.dat	upx
behavioral2/files/0x000a000000022e22-140.dat	upx
behavioral2/files/0x000a000000022e22-142.dat	upx
behavioral2/memory/4832-147-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
4832	boot.sys
4736	boot.sys

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lgxpdh32.dll	boot.sys
File created	C:\Windows\SysWOW64\ICFCHJHC.exe	Ijgjglla.exe
File created	C:\Windows\SysWOW64\xslfdlnt.bat	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
File created	C:\Windows\SysWOW64\Ijgjglla.exe	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
File opened for modification	C:\Windows\SysWOW64\Ijgjglla.exe	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
File created	C:\Windows\SysWOW64\Gjhcghae.dll	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
File created	C:\Windows\SysWOW64\oihij32.dll	boot.sys

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CE2899B-5D7D-4AA0-E588-3E4DEE997D4E}\	boot.sys
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CE2899B-5D7D-4AA0-E588-3E4DEE997D4E}\InprocServer32	boot.sys
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CE2899B-5D7D-4AA0-E588-3E4DEE997D4E}	boot.sys
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{68DF520B-0B1C-0B9E-2AA9-40C565E73C92}	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82B10E2E-1456-4059-EE92-D0419275DEA5}	boot.sys
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82B10E2E-1456-4059-EE92-D0419275DEA5}\	boot.sys
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{68DF520B-0B1C-0B9E-2AA9-40C565E73C92}\InProcServer32\ThreadingModel = "Apartment"	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CE2899B-5D7D-4AA0-E588-3E4DEE997D4E}\InprocServer32\ = "C:\\Windows\\SysWow64\\oihij32.dll"	boot.sys
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CE2899B-5D7D-4AA0-E588-3E4DEE997D4E}\InprocServer32\ThreadingModel = "Apartment"	boot.sys
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82B10E2E-1456-4059-EE92-D0419275DEA5}\InprocServer32	boot.sys
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82B10E2E-1456-4059-EE92-D0419275DEA5}\InprocServer32\ = "C:\\Windows\\SysWow64\\lgxpdh32.dll"	boot.sys
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82B10E2E-1456-4059-EE92-D0419275DEA5}\InprocServer32\ThreadingModel = "Apartment"	boot.sys
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{68DF520B-0B1C-0B9E-2AA9-40C565E73C92}\InProcServer32	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{68DF520B-0B1C-0B9E-2AA9-40C565E73C92}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhcghae.dll"	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4832	boot.sys
4832	boot.sys
4736	boot.sys
4736	boot.sys

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4316	Ijgjglla.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4832	boot.sys
4736	boot.sys

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4940	3968	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe	80
PID 3968 wrote to memory of 4940	3968	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe	80
PID 3968 wrote to memory of 4940	3968	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe	80
PID 3968 wrote to memory of 4316	3968	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe	82
PID 3968 wrote to memory of 4316	3968	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe	82
PID 3968 wrote to memory of 4316	3968	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe	82
PID 4316 wrote to memory of 4328	4316	Ijgjglla.exe	84
PID 4316 wrote to memory of 4328	4316	Ijgjglla.exe	84
PID 4316 wrote to memory of 4328	4316	Ijgjglla.exe	84
PID 4940 wrote to memory of 4832	4940	cmd.exe	83
PID 4940 wrote to memory of 4832	4940	cmd.exe	83
PID 4940 wrote to memory of 4832	4940	cmd.exe	83
PID 4328 wrote to memory of 4736	4328	cmd.exe	86
PID 4328 wrote to memory of 4736	4328	cmd.exe	86
PID 4328 wrote to memory of 4736	4328	cmd.exe	86
PID 4832 wrote to memory of 2576	4832	boot.sys	60
PID 4736 wrote to memory of 2576	4736	boot.sys	60
PID 4316 wrote to memory of 3972	4316	Ijgjglla.exe	87
PID 4316 wrote to memory of 3972	4316	Ijgjglla.exe	87
PID 4316 wrote to memory of 3972	4316	Ijgjglla.exe	87
PID 3968 wrote to memory of 1280	3968	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe	88
PID 3968 wrote to memory of 1280	3968	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe	88
PID 3968 wrote to memory of 1280	3968	bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe
  "C:\Users\Admin\AppData\Local\Temp\bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1.exe"
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C start c:\boot.sys
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - \??\c:\boot.sys
      c:\boot.sys
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4832
- - C:\Windows\SysWOW64\Ijgjglla.exe
    C:\Windows\system32\Ijgjglla.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C start c:\boot.sys
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4328
    - - \??\c:\boot.sys
        
        c:\boot.sys
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4736
  - - C:\Windows\SysWOW64\ICFCHJHC.exe
      C:\Windows\system32\ICFCHJHC.exe C:\Windows\SysWOW64\Ijgjglla.exe
      4⤵
      Executes dropped EXE
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C C:\Windows\system32\xslfdlnt.bat
    3⤵
    PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ICFCHJHC.exe

Filesize
13KB

MD5
3c3441990e0bf0eada3a93de7bb6b829

SHA1
1642694577d033cd73c0348b8754ce5403dc6530

SHA256
852e1896be3f1be4483c058c94c179cbf2ffeea8d8d7b574ee54934950330121

SHA512
0c4218b51f61fffb148d28f858b087fa07fe561b54b3988f379339f8ce6649fad36fff3c3f620e23efda213ce5475b0d823f157dd4e47b30226fb078563165b0

Download Submit
C:\Windows\SysWOW64\ICFCHJHC.exe

Filesize
13KB

MD5
3c3441990e0bf0eada3a93de7bb6b829

SHA1
1642694577d033cd73c0348b8754ce5403dc6530

SHA256
852e1896be3f1be4483c058c94c179cbf2ffeea8d8d7b574ee54934950330121

SHA512
0c4218b51f61fffb148d28f858b087fa07fe561b54b3988f379339f8ce6649fad36fff3c3f620e23efda213ce5475b0d823f157dd4e47b30226fb078563165b0

Download Submit
C:\Windows\SysWOW64\Ijgjglla.exe

Filesize
45KB

MD5
020891f9564e88267b002a4731429b4b

SHA1
154b6231dc8866917a633cb02814047df7b21df3

SHA256
bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1

SHA512
47cd5b3e2d45f12e686e0686f52018fdce0bfa696a200e6f8b70c9023f3b9b1005c80b86bd8afa8f1ff301d957f9b0b8b8963b819e62f82bd95558c8ebd76f55

Download Submit
C:\Windows\SysWOW64\Ijgjglla.exe

Filesize
45KB

MD5
020891f9564e88267b002a4731429b4b

SHA1
154b6231dc8866917a633cb02814047df7b21df3

SHA256
bd10ca593172763d41b09f033ad4c90fc5cb243fbbb9d7d15925839ec16c16d1

SHA512
47cd5b3e2d45f12e686e0686f52018fdce0bfa696a200e6f8b70c9023f3b9b1005c80b86bd8afa8f1ff301d957f9b0b8b8963b819e62f82bd95558c8ebd76f55

Download Submit
C:\Windows\SysWOW64\drivers\ndisrd.sys

Filesize
14KB

MD5
62d4ef02daab1e5a32a2dee911bbb8a2

SHA1
99eb26074ef938a8474aaa2ee57687044772f093

SHA256
f70bc344cad6386fe95b4c389eae117d8a7c68d982055939f60a15ca0d01ef77

SHA512
03b87bc7558e7502f325f2c46abb8d5ca17ac8077f13896ae6a305865f7965cfcf6b07cc236d20772691599f35c9602fdce3714a835a23fa8316340982bb8f67

Download Submit
C:\Windows\SysWOW64\lgxpdh32.dll

Filesize
10KB

MD5
8bf32bb81490a0c0428ff8b6f59ee042

SHA1
959550372bfb3e254057c750bf858df375e8848e

SHA256
f48fedceac21e1b76871f30d84786d2bc3c6de854d0d58ea3f6a53f6f16a03db

SHA512
9caeefa2a2d275983b29a8fc454e3fa140b0217533d9102f722381bbf3d6a76db708de7d4da3c6ec1687c9896752e8c5137276ee2db0b0eaa903bb9dde8b6b48

Download Submit
C:\Windows\SysWOW64\oihij32.dll

Filesize
10KB

MD5
8bf32bb81490a0c0428ff8b6f59ee042

SHA1
959550372bfb3e254057c750bf858df375e8848e

SHA256
f48fedceac21e1b76871f30d84786d2bc3c6de854d0d58ea3f6a53f6f16a03db

SHA512
9caeefa2a2d275983b29a8fc454e3fa140b0217533d9102f722381bbf3d6a76db708de7d4da3c6ec1687c9896752e8c5137276ee2db0b0eaa903bb9dde8b6b48

Download Submit
C:\Windows\SysWOW64\xslfdlnt.bat

Filesize
287B

MD5
fa761cf8bddf680783f85e65f96418b2

SHA1
520fcaad5d4f332401db69d1cc8040e814d2040a

SHA256
367136f8e8b6d1078e92f4aebb33d6e51b2c2ce5427521852c27fed645745641

SHA512
15e282857190c14e25438792d0fb7635fe9f00d8542c86101de048ccbc1bedadd5c4aad545d4c0a2785045a92c69f10c4f2a6e1b03429d62e5041f11cc9395ea

Download Submit
C:\boot.sys

Filesize
16KB

MD5
37c28dd5c1e185c5cded257ad6c91c03

SHA1
3f84157f5bbfeebd135220130a8b0bd616017545

SHA256
1e2813f4a23f085eb4812095a26d592902cda2582e190e162c3f7dc3825c5c1b

SHA512
f7cab8fc08ff970577b6a1b79743fbedb53eb4318394f6e0c54efc575c709d55b74d33c3bf7e0b7ad5c1b625a384538ee1434caf460eb158e5352efc08ed3b41

Download Submit
C:\boot.sys

Filesize
16KB

MD5
37c28dd5c1e185c5cded257ad6c91c03

SHA1
3f84157f5bbfeebd135220130a8b0bd616017545

SHA256
1e2813f4a23f085eb4812095a26d592902cda2582e190e162c3f7dc3825c5c1b

SHA512
f7cab8fc08ff970577b6a1b79743fbedb53eb4318394f6e0c54efc575c709d55b74d33c3bf7e0b7ad5c1b625a384538ee1434caf460eb158e5352efc08ed3b41

Download Submit
\??\c:\boot.sys

Filesize
16KB

MD5
37c28dd5c1e185c5cded257ad6c91c03

SHA1
3f84157f5bbfeebd135220130a8b0bd616017545

SHA256
1e2813f4a23f085eb4812095a26d592902cda2582e190e162c3f7dc3825c5c1b

SHA512
f7cab8fc08ff970577b6a1b79743fbedb53eb4318394f6e0c54efc575c709d55b74d33c3bf7e0b7ad5c1b625a384538ee1434caf460eb158e5352efc08ed3b41

Download Submit
memory/3968-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3968-153-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4316-157-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4316-146-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4736-156-0x0000000073250000-0x0000000073255000-memory.dmp

Filesize
20KB

Download
memory/4832-147-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4832-148-0x0000000073250000-0x0000000073255000-memory.dmp

Filesize
20KB

Download
memory/4832-155-0x0000000073250000-0x0000000073255000-memory.dmp

Filesize
20KB

Download