b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63

Analysis

max time kernel
139s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 00:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe
Size

810KB
MD5

7945f3218640948655d64f3cacf15f40
SHA1

89c492ada8bb8b2e2559d47ed2b2b71b47f0b998
SHA256

b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63
SHA512

07a2ed94d09d19c2d8b36bfcca342bc2ab5a59e5432a65b6355938ce016417513c516d1b10e391fc33fc89041ec83720d68e3689fb1c884fd1b79735af18d974
SSDEEP

24576:xZSKRr2HCjeBrTVyuwWp/+Vw8qOVyRxqfyDR4t:xZSKRFjeBHVJLp/O1VyDRw

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3984	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe
4412	update.exe

Loads dropped DLL 3 IoCs

pid	Process
3984	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe
4412	update.exe
4412	update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Boot Check = "C:\\Windows\\system32\\sysbmw.exe"	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysbmw.exe	notepad.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB974112.log	update.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3879825825"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3879825825"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987810"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371454798"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{118A1C3C-4216-11ED-AECB-DA88DC7FA106} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4014825753"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987810"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987810"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe
Token: SeBackupPrivilege	4412	update.exe
Token: SeRestorePrivilege	4412	update.exe
Token: SeShutdownPrivilege	4412	update.exe
Token: SeSecurityPrivilege	4412	update.exe
Token: SeTakeOwnershipPrivilege	4412	update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3344	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3344	IEXPLORE.EXE
3344	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3344	4760	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	81
PID 4760 wrote to memory of 3344	4760	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	81
PID 3344 wrote to memory of 2952	3344	IEXPLORE.EXE	82
PID 3344 wrote to memory of 2952	3344	IEXPLORE.EXE	82
PID 3344 wrote to memory of 2952	3344	IEXPLORE.EXE	82
PID 4760 wrote to memory of 3576	4760	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	83
PID 4760 wrote to memory of 3576	4760	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	83
PID 4760 wrote to memory of 3576	4760	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	83
PID 4760 wrote to memory of 3344	4760	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	81
PID 4760 wrote to memory of 3576	4760	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	83
PID 3576 wrote to memory of 3984	3576	notepad.exe	84
PID 3576 wrote to memory of 3984	3576	notepad.exe	84
PID 3576 wrote to memory of 3984	3576	notepad.exe	84
PID 3984 wrote to memory of 4412	3984	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	87
PID 3984 wrote to memory of 4412	3984	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	87
PID 3984 wrote to memory of 4412	3984	b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe	87

C:\Users\Admin\AppData\Local\Temp\b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe
"C:\Users\Admin\AppData\Local\Temp\b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\program files\Internet Explorer\IEXPLORE.EXE
  "C:\program files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3344 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2952
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe
    C:\Users\Admin\AppData\Local\Temp\b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - \??\c:\1b9939ae9c51877a03309f6b\update\update.exe
      c:\1b9939ae9c51877a03309f6b\update\update.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1b9939ae9c51877a03309f6b\_sfx_.dll

Filesize
25KB

MD5
ee207e35aea4d5df41d90221e1b66efa

SHA1
757469cf9ad2f21f267bbe730560114fdf8a89a5

SHA256
cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64

SHA512
43e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d

Download Submit
C:\1b9939ae9c51877a03309f6b\update\update.exe

Filesize
712KB

MD5
9570121468658dcc6972f1dfa624a223

SHA1
61716952df7a03fc01ac919f44f07e9588840b8c

SHA256
bc2cde5db3027a726c81df78bdef10b5ec9a7b4a5ba297911c7b999638f76b33

SHA512
7c2168a6db5bf7dd7c09682983e9059524621834d0d9ae250382c74d714b0e99b625f5ee9a648e18de9fa25b580bac5ab770ad63c406a9f88c87ade1a372429c

Download Submit
C:\1b9939ae9c51877a03309f6b\update\updspapi.dll

Filesize
331KB

MD5
eb5c64286d987337f702813e73fcf615

SHA1
77c393b4cf5b61c29afa408ec1ebd93b22271e3f

SHA256
44062d8525a1de307491a46376d1831e23c27c18edb3de8f142d83eb7a21fc52

SHA512
0c71779a7b5a3507b5d0ccc0f9ff785032e1d8c32e76a0c0acadfd531d9ca87b61fd9742d69c610823a4315e181ad41f561811badbc262052d0f3ba86b9237a6

Download Submit
C:\1b9939ae9c51877a03309f6b\update\updspapi.dll

Filesize
331KB

MD5
eb5c64286d987337f702813e73fcf615

SHA1
77c393b4cf5b61c29afa408ec1ebd93b22271e3f

SHA256
44062d8525a1de307491a46376d1831e23c27c18edb3de8f142d83eb7a21fc52

SHA512
0c71779a7b5a3507b5d0ccc0f9ff785032e1d8c32e76a0c0acadfd531d9ca87b61fd9742d69c610823a4315e181ad41f561811badbc262052d0f3ba86b9237a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
f525b778e6901e8c416e2920e4e3dc0b

SHA1
917ce8ae6d64bdd4dd438488176253022c57a083

SHA256
c9eee793aa4aa79f35d393f9f1d863483aaf4004dea6ac19bda868e92a71f8bd

SHA512
f6f47a4935c09769b8df316e1b459c7b153ed26ac409d4bf2ce62a1635dba4eaf7ce77de5ce83100d6f3ce7aadffed7591fb7cee7ac10a0c081a2d3c613f1ad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
1e6573903324bfeca4601bb82c393069

SHA1
67eb1c24e2a3094f261811b94fe019e8baec0492

SHA256
ab96ebf345b2b3deb88f8334be6cca00d82afceab169dad5ad51e2b6deba9a6b

SHA512
6cc89ca7a8da59e89ece9c9baa3b45b99274574a9862098018ef91d6ae1a8de84f2bcc54ee62767a7bb5784b9cf44081c174665f0654a0c07f5551a103550a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe

Filesize
591KB

MD5
e26ad46d91d83095a81f844d4c5beec4

SHA1
84364bb68fce4d6dcf355e5c70cc615445a7fe2d

SHA256
34c797148df3bb9a02f2dcc7d9f4cc444e92830ddc8ae90015d15341c5491a5d

SHA512
04153bb2dc28a380a26de0142628cf8d1d1f1b80144c5f6d07fcd6886ad0f2dbfc045ef63920c873983928adc4c217b0bca8d38f92470b9a3c04749436657770

Download Submit
C:\Users\Admin\AppData\Local\Temp\b12bbe53fef6aa75fcd224f2f318a5510721dc9e5b584b0fb959d8f31f2b9c63.exe

Filesize
591KB

MD5
e26ad46d91d83095a81f844d4c5beec4

SHA1
84364bb68fce4d6dcf355e5c70cc615445a7fe2d

SHA256
34c797148df3bb9a02f2dcc7d9f4cc444e92830ddc8ae90015d15341c5491a5d

SHA512
04153bb2dc28a380a26de0142628cf8d1d1f1b80144c5f6d07fcd6886ad0f2dbfc045ef63920c873983928adc4c217b0bca8d38f92470b9a3c04749436657770

Download Submit
memory/3576-133-0x0000000013150000-0x0000000013189000-memory.dmp

Filesize
228KB

Download
memory/4412-142-0x0000000000520000-0x0000000000574000-memory.dmp

Filesize
336KB

Download
memory/4412-143-0x0000000000521000-0x0000000000543000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads