Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 04:46
Static task
static1
Behavioral task
behavioral1
Sample
158fe2aef3c39a9e211907ed13e3056066679ad2b20906d9aebe7a1571ad4905.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
158fe2aef3c39a9e211907ed13e3056066679ad2b20906d9aebe7a1571ad4905.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
158fe2aef3c39a9e211907ed13e3056066679ad2b20906d9aebe7a1571ad4905.dll
-
Size
350KB
-
MD5
688b4924ea683be34c23bf81aeff18f3
-
SHA1
55cd5d532a21e62b592a4f6c96676530b3d62c63
-
SHA256
158fe2aef3c39a9e211907ed13e3056066679ad2b20906d9aebe7a1571ad4905
-
SHA512
7275cdacc7b335cf083366c60f9d2cce419bc50cc553c642b4eca1154768905deaaa4affe28b70877fdd9cb25c6c4614dff0f18d62db997164b672fb6ceb2371
-
SSDEEP
6144:u/bRffXkG7wilZUPBmopzdWQ4niWIGzVFPUnb:uNf/kGsWZwBDzdnMIGzHP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\sjfbpahx\\bmwnadnl.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 936 SDxfmzdp 968 suuicfpurejpyvib.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bmwnadnl.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bmwnadnl.exe svchost.exe -
Loads dropped DLL 6 IoCs
pid Process 2032 regsvr32.exe 2032 regsvr32.exe 936 SDxfmzdp 936 SDxfmzdp 936 SDxfmzdp 936 SDxfmzdp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\BmwNadnl = "C:\\Users\\Admin\\AppData\\Local\\sjfbpahx\\bmwnadnl.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 31 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\TypeLib\ = "{45898183-0656-40E8-8116-81617964B4E8}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper.1\ = "CloneViewHelper Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\CurVer\ = "IgfxTMM.CloneViewHelper.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\ = "CloneViewHelper Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\ProgID\ = "IgfxTMM.CloneViewHelper.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper.1\CLSID\ = "{FC03875E-6012-4349-B5C5-C42E9FE26AD2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\CLSID\ = "{FC03875E-6012-4349-B5C5-C42E9FE26AD2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\ = "CloneHelper 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\158fe2aef3c39a9e211907ed13e3056066679ad2b20906d9aebe7a1571ad4905.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\158fe2aef3c39a9e211907ed13e3056066679ad2b20906d9aebe7a1571ad4905.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\ = "CloneViewHelper Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\VersionIndependentProgID\ = "IgfxTMM.CloneViewHelper" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe 2044 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 460 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 936 SDxfmzdp Token: SeDebugPrivilege 936 SDxfmzdp Token: SeSecurityPrivilege 1472 svchost.exe Token: SeSecurityPrivilege 2044 svchost.exe Token: SeDebugPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeSecurityPrivilege 968 suuicfpurejpyvib.exe Token: SeLoadDriverPrivilege 968 suuicfpurejpyvib.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe Token: SeBackupPrivilege 2044 svchost.exe Token: SeRestorePrivilege 2044 svchost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1016 wrote to memory of 2032 1016 regsvr32.exe 20 PID 1016 wrote to memory of 2032 1016 regsvr32.exe 20 PID 1016 wrote to memory of 2032 1016 regsvr32.exe 20 PID 1016 wrote to memory of 2032 1016 regsvr32.exe 20 PID 1016 wrote to memory of 2032 1016 regsvr32.exe 20 PID 1016 wrote to memory of 2032 1016 regsvr32.exe 20 PID 1016 wrote to memory of 2032 1016 regsvr32.exe 20 PID 2032 wrote to memory of 936 2032 regsvr32.exe 22 PID 2032 wrote to memory of 936 2032 regsvr32.exe 22 PID 2032 wrote to memory of 936 2032 regsvr32.exe 22 PID 2032 wrote to memory of 936 2032 regsvr32.exe 22 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 1472 936 SDxfmzdp 26 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 2044 936 SDxfmzdp 28 PID 936 wrote to memory of 968 936 SDxfmzdp 32 PID 936 wrote to memory of 968 936 SDxfmzdp 32 PID 936 wrote to memory of 968 936 SDxfmzdp 32 PID 936 wrote to memory of 968 936 SDxfmzdp 32
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\158fe2aef3c39a9e211907ed13e3056066679ad2b20906d9aebe7a1571ad4905.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\158fe2aef3c39a9e211907ed13e3056066679ad2b20906d9aebe7a1571ad4905.dll2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\SDxfmzdp"SDxfmzdp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Users\Admin\AppData\Local\Temp\suuicfpurejpyvib.exe"C:\Users\Admin\AppData\Local\Temp\suuicfpurejpyvib.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9
-
Filesize
96KB
MD5254e4fa9c285f829b8134f470bbd08b9
SHA1c6198611124c86c8d13204bd84c20fa41f8a9f20
SHA256c271fd76007d951f28e3fa435d543530c4a6adaf1ad928841ffc99767da5ce57
SHA512f5d1aa083731b410cc2dd9eacab10c065ee4ea7ecb56ce74dafc68439451254649b6d0db60626f7f6a9eae8ca65b94fd73d86eb75793fb647e6f7e0804b128e9