Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 16:20
Static task
static1
Behavioral task
behavioral1
Sample
3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe
-
Size
160KB
-
MD5
83c8e201413515d9b62da74d9c927590
-
SHA1
3471bbe169ce59f8013746fc0fc967bb6ea62574
-
SHA256
3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289
-
SHA512
abc965e4b30da9efdea8e0ff811af07e3a6b4ab7e4b85fdb8e237809e81c7db06924ed6f69b873e3e86e446e1e596715ad25053befc61467fb1d9a604212e61c
-
SSDEEP
3072:eGzsrB6oe5g+GwJs8K9YUoIrJaRuSZ/JlQPj/PYv2wM0B2vmkHgHAGFAhl4oQZi3:eGwrnP9YErMRuSZ/JlQLHYv2PvzGAMAb
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bouxia.exe -
Executes dropped EXE 1 IoCs
pid Process 4832 bouxia.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe -
Adds Run key to start application 2 TTPs 55 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /Z" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /d" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /c" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /x" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /Q" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /O" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /I" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /i" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /k" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /s" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /l" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /R" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /m" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /r" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /u" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /H" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /V" bouxia.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /g" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /B" bouxia.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /e" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /S" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /N" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /U" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /J" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /h" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /F" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /G" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /t" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /A" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /f" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /q" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /P" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /E" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /D" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /Y" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /M" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /y" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /p" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /X" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /n" 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /K" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /o" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /W" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /j" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /a" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /L" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /z" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /v" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /n" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /C" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /T" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /b" bouxia.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouxia = "C:\\Users\\Admin\\bouxia.exe /w" bouxia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5116 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe 5116 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe 4832 bouxia.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5116 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe 4832 bouxia.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5116 wrote to memory of 4832 5116 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe 84 PID 5116 wrote to memory of 4832 5116 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe 84 PID 5116 wrote to memory of 4832 5116 3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe"C:\Users\Admin\AppData\Local\Temp\3722255efbce29df84d1b0d3a124575bca56e3467ed3ce1ee5571b7fd44c9289.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\bouxia.exe"C:\Users\Admin\bouxia.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4832
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD593ee3dd355d5f927587575f053c560c5
SHA10316f6e3bbaa63c679ed16ea8ae4013dd4f6f9c8
SHA256d36b749d6088c62a5402d123b053c74254eb84f0539731bfb2647b6d17e4aff6
SHA512eb4545bda24efdaceed992d1fa81520b377b6803c2039876e93bfc67b924f381215e83e59b2e66dca7453e8a41b3e282a56120d029bdb9ba80777e4efe4d65d3
-
Filesize
160KB
MD593ee3dd355d5f927587575f053c560c5
SHA10316f6e3bbaa63c679ed16ea8ae4013dd4f6f9c8
SHA256d36b749d6088c62a5402d123b053c74254eb84f0539731bfb2647b6d17e4aff6
SHA512eb4545bda24efdaceed992d1fa81520b377b6803c2039876e93bfc67b924f381215e83e59b2e66dca7453e8a41b3e282a56120d029bdb9ba80777e4efe4d65d3