d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4

Analysis

max time kernel
88s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
Size

58KB
MD5

59e96908b7845a7c84c53e1d60bb0940
SHA1

345d20c8c0e9af99b2e0066ac613c83e5757caea
SHA256

d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4
SHA512

70406b96fda828eb57a1e49a6ca02e6d747d96a986b035c806cfe885779ca385100a8a3e7636a6807c52f3a4989c2896590c6b395ced29c1f5362acd45b93811
SSDEEP

1536:Nxj4xoSW3p1PJgK/b2ydJa6mQLqPpN8I+vAq4MV2D:njzVrPeK6ydJfw7B7Uk

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe

Executes dropped EXE 2 IoCs

pid	Process
3628	uninst.exe
4808	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\flash.scf	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Messenger\Messenger.bcm	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
File created	C:\Program Files (x86)\Messenger\taodwq.ico	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe	cscript.exe
File created	C:\Program Files (x86)\Messenger\Ntype.exe	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\25.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\21.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\23.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\27.txt	cscript.exe
File created	C:\Program Files (x86)\Common Files\System\ado\myie.vbs	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
File created	C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\15.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\17.txt	cscript.exe
File created	C:\Program Files (x86)\lnkfiles\19.txt	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e65-142.dat	nsis_installer_2
behavioral2/files/0x0006000000022e65-143.dat	nsis_installer_2
behavioral2/files/0x0007000000022e63-146.dat	nsis_installer_2
behavioral2/files/0x0007000000022e63-145.dat	nsis_installer_2

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bcm	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bcm\ = "JSEFile"	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1660	2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe	83
PID 2220 wrote to memory of 1660	2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe	83
PID 2220 wrote to memory of 1660	2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe	83
PID 2220 wrote to memory of 4080	2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe	86
PID 2220 wrote to memory of 4080	2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe	86
PID 2220 wrote to memory of 4080	2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe	86
PID 2220 wrote to memory of 3628	2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe	88
PID 2220 wrote to memory of 3628	2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe	88
PID 2220 wrote to memory of 3628	2220	d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe	88
PID 3628 wrote to memory of 4808	3628	uninst.exe	89
PID 3628 wrote to memory of 4808	3628	uninst.exe	89
PID 3628 wrote to memory of 4808	3628	uninst.exe	89

C:\Users\Admin\AppData\Local\Temp\d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe
"C:\Users\Admin\AppData\Local\Temp\d3398fa8fbfe6b4160b928e78c5c1f8a6e1779e03f2bf3f98e58c20ef83b0de4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\Common Files\System\ado\myie.vbs"
  2⤵
  - Drops file in Program Files directory
  PID:1660
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files (x86)\Messenger\messenger.bcm"
  2⤵
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\uninst.exe
  "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\ado\myie.vbs

Filesize
3KB

MD5
21626dc339a5b9b9fd192112f09c8bec

SHA1
d16cbdb26343739c802ce5726ff592a1ace1f260

SHA256
00602e5a43d451ce9defd2017bd0f90754c72bf2859691a8a4f2ebc9eda375fe

SHA512
9e8b56b5ef3dc27c5cb641b5f257e26eed707c5d1ba7862a4269a468e779019052cfcf874a80bfb665cbf1120f23c4aad9720e582168d713f414be6c6dfde8d6

Download Submit
C:\Program Files (x86)\Messenger\messenger.bcm

Filesize
8KB

MD5
89c54c6059b71e5f699598451a1923bc

SHA1
fc8cd7ade32cf2d2e900fe21c2b31258885c5c0a

SHA256
5a124ea3ab3d8f184d063c4d559a9423f69998d495f3786a33bf279a4d75be9f

SHA512
7e74848ee9903e4ccb531bf0374430553e05d8f202eb5d2cff07657eb013abdf72c4b2e304cd6b9f3f600b4e53f4bb13d4f39701e459da774553929c9d311847

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA2BF.tmp\System.dll

Filesize
11KB

MD5
5d186c26b28c0dd14e6eb78a755a2d1f

SHA1
e8f50ebf398da3bfa1242149ee205a7ad9935e66

SHA256
7f05c7d2408ec4b69287bbde91d18054075a448f11ffda4ba17d696e3b2d09e7

SHA512
c3453968867ce671542a69eb9881292f6f5ccf3a009cc55728905009f450e5711b2804c8b96ec39850d105b1819ff9faec6e8f2eb8f8b8bd625fdef817c84153

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA2BF.tmp\nsExec.dll

Filesize
6KB

MD5
3da7002fc1e78b7e63bcb56ce3319f82

SHA1
8ff3e1680f4ccb21b8ccbc4701080a386cf83976

SHA256
8dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4

SHA512
bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA2BF.tmp\nsExec.dll

Filesize
6KB

MD5
3da7002fc1e78b7e63bcb56ce3319f82

SHA1
8ff3e1680f4ccb21b8ccbc4701080a386cf83976

SHA256
8dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4

SHA512
bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA2BF.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA2BF.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogou.ini

Filesize
126B

MD5
a8366b7bd477b4603ea8dbb5ccba9004

SHA1
52b1c436d13f36fe569e648c50acb45077f1de28

SHA256
969ea7179ada8765b7b59f19fdd46284b1d7d1c484886db457b9c55ac00bb7eb

SHA512
a6d83d04872c29a09bb9a267d05f65d7bf500c3bc9e8d97aa6cbe0062bdacc5877b7e0a3fd01ee2bf2f97585631c1868fd9f4e38ec84ab0d461af9e9a435a995

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
35KB

MD5
f04c9c0409c49e0bbfdea891f4a781f0

SHA1
fd223f054b3e87f7348fe9c5d5a6f5bca66d28cb

SHA256
00bf832f4517d7c40fb8dc3aeb3850909c79a0a0686947206f9eb24ecc2e6763

SHA512
57359b2b7687733f5022b5952021b350f82d387b4d2e8988291dfdbc6966ce94ee3c0ea5a955bae4c190df70481c897447fac87a549f93084881f6b67789e474

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
35KB

MD5
f04c9c0409c49e0bbfdea891f4a781f0

SHA1
fd223f054b3e87f7348fe9c5d5a6f5bca66d28cb

SHA256
00bf832f4517d7c40fb8dc3aeb3850909c79a0a0686947206f9eb24ecc2e6763

SHA512
57359b2b7687733f5022b5952021b350f82d387b4d2e8988291dfdbc6966ce94ee3c0ea5a955bae4c190df70481c897447fac87a549f93084881f6b67789e474

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
35KB

MD5
f04c9c0409c49e0bbfdea891f4a781f0

SHA1
fd223f054b3e87f7348fe9c5d5a6f5bca66d28cb

SHA256
00bf832f4517d7c40fb8dc3aeb3850909c79a0a0686947206f9eb24ecc2e6763

SHA512
57359b2b7687733f5022b5952021b350f82d387b4d2e8988291dfdbc6966ce94ee3c0ea5a955bae4c190df70481c897447fac87a549f93084881f6b67789e474

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
35KB

MD5
f04c9c0409c49e0bbfdea891f4a781f0

SHA1
fd223f054b3e87f7348fe9c5d5a6f5bca66d28cb

SHA256
00bf832f4517d7c40fb8dc3aeb3850909c79a0a0686947206f9eb24ecc2e6763

SHA512
57359b2b7687733f5022b5952021b350f82d387b4d2e8988291dfdbc6966ce94ee3c0ea5a955bae4c190df70481c897447fac87a549f93084881f6b67789e474

Download Submit