abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe
Size

3.5MB
MD5

9113a0bdcb8e89adfa37220a0e403520
SHA1

d7543a915f570f842ac2f580adb8b487bc3d9932
SHA256

abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13
SHA512

b8f48b610c88b15b0a05a89e7f7df947c5f774a2974957781c2da17a275d8f77ec4a09bdc535cd1bf404fa3d210f5c7fbc78aa4b1174878a6abbba900916b671
SSDEEP

98304:C8ssMHvNq9Mc9joWc1s/xeyBuj/bm3Wu63DIZU:KQfjBGsfw/Fs6

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	BASupApp.exe

Loads dropped DLL 15 IoCs

pid	Process
2796	abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe
2796	abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe
2796	abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe
2796	abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe
2796	abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BASupApp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe
2828	BASupApp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2828	2796	abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe	83
PID 2796 wrote to memory of 2828	2796	abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe	83
PID 2796 wrote to memory of 2828	2796	abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe	83

C:\Users\Admin\AppData\Local\Temp\abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe
"C:\Users\Admin\AppData\Local\Temp\abc3fa717d6c5e8c293a6509d2116b0287581a4ed82b1775eb742a4f8820ed13.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupApp.exe
  "C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupApp.exe" -from_installer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BEANYW~1\GETSUP~1\BASupApp.ini

Filesize
126B

MD5
f75bfdf2658a7c220788e4f13c7e42ee

SHA1
b5e63976c90d93c84791b22d8ae85b08201233e8

SHA256
13a83b48bddbc9d8ceb639dbbddb2acd6b85c389d2bfa1787d43a2ade4f8e29b

SHA512
807012360056977c6f88d81fc82bc2408b3c6fbf7126555c59cfe3dc69109062e803ac791baffadda9750e48df0ef8956af44a5b170291d5db3766c227dda2f4

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASUPLIB.DLL

Filesize
47KB

MD5
c2bfebb47d9bc2217770fe8fec8592af

SHA1
b5f5441810d4196650197c842e8f9804912e932c

SHA256
35a7b3ad70c03d3e8fa37db99702482d24e3ac72b89d54874358968673daa1a9

SHA512
06e8edd22e8ac416ee4b9c7cc272db946f62438a13a8384eea709f09d686a9d4b3e780f15772233baf8f5b74c53778d17edc76f084fc77197f2161b16f0060c9

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupApp.exe

Filesize
6.6MB

MD5
1e8033bfe0893641283b27ee280bbbdb

SHA1
afa7220911ced75eb8a014c56dacc1bea1144374

SHA256
fac9d94d0cda7b5a844e4cad26aed69e99bd4cabfcdb4c3f5ceb4b8e722440ff

SHA512
4be4fee886d3d9c66b239ee22b62cd0b2c37dfea63a7b1f117e23abc0f61ca8143747ecd012b3f98d1dc05bb1f4d852ddb93a04cdb4988a23d4edbc44771fc0b

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupApp.exe

Filesize
6.6MB

MD5
1e8033bfe0893641283b27ee280bbbdb

SHA1
afa7220911ced75eb8a014c56dacc1bea1144374

SHA256
fac9d94d0cda7b5a844e4cad26aed69e99bd4cabfcdb4c3f5ceb4b8e722440ff

SHA512
4be4fee886d3d9c66b239ee22b62cd0b2c37dfea63a7b1f117e23abc0f61ca8143747ecd012b3f98d1dc05bb1f4d852ddb93a04cdb4988a23d4edbc44771fc0b

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupApp.xml

Filesize
79B

MD5
ce2d288a0911c11ed816c452a614f68b

SHA1
dbc18e2ee312a9b45226b4c6f3c83af6cc0b962d

SHA256
e393d03c321ba1d2c0607a0358e6f8d23fd7b5af5caf07e441a2d6188b791c46

SHA512
d80cbf58eb4da3bd00898ba48560165f6a4f4fbe3e28ff5b56b1fcb4bf00010845ce43591e1c040f82ee8cb0c6c8568f2fc50a41d2b17f54b3b8a014fd0f7921

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupAppEN.dll

Filesize
267KB

MD5
b49b1de05d25f680b32e1f8d7c0b8600

SHA1
a4ddbca01bb5f569930160fea2145933d13fa097

SHA256
6bcc7d6956aff53ce70286d7d46d3b0f8f6a54275e73e13235dec93056768575

SHA512
0773b9e6adc0aded0d063ff6beb1ea78ce049e7c8e2434939eaa5ca57957ea5cd4a0c3755771ff6377327f94f22185a50f6c041a5ae041c16a0d9fcfdb6fdba4

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupAppEN.dll

Filesize
267KB

MD5
b49b1de05d25f680b32e1f8d7c0b8600

SHA1
a4ddbca01bb5f569930160fea2145933d13fa097

SHA256
6bcc7d6956aff53ce70286d7d46d3b0f8f6a54275e73e13235dec93056768575

SHA512
0773b9e6adc0aded0d063ff6beb1ea78ce049e7c8e2434939eaa5ca57957ea5cd4a0c3755771ff6377327f94f22185a50f6c041a5ae041c16a0d9fcfdb6fdba4

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupAppPT.dll

Filesize
268KB

MD5
6d3e51554fd5388d786b74c46f0eefdb

SHA1
6047e8d2c1f6360ad7d7b83070e484c85d68cdfa

SHA256
10c60ae53495ed6e3f8f3e8b1e850d5bee0faf008a890732dfdea1d1741b0a0d

SHA512
9802d8295ad689b99bcefc848aac2309edff3314e8582e837451db7eacf19446e874a4d939103b1bf96606ef3ed5c1f701c31b419b7c146db1c5d051ac6c560b

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupAppPT.dll

Filesize
268KB

MD5
6d3e51554fd5388d786b74c46f0eefdb

SHA1
6047e8d2c1f6360ad7d7b83070e484c85d68cdfa

SHA256
10c60ae53495ed6e3f8f3e8b1e850d5bee0faf008a890732dfdea1d1741b0a0d

SHA512
9802d8295ad689b99bcefc848aac2309edff3314e8582e837451db7eacf19446e874a4d939103b1bf96606ef3ed5c1f701c31b419b7c146db1c5d051ac6c560b

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupAppen.dll

Filesize
267KB

MD5
b49b1de05d25f680b32e1f8d7c0b8600

SHA1
a4ddbca01bb5f569930160fea2145933d13fa097

SHA256
6bcc7d6956aff53ce70286d7d46d3b0f8f6a54275e73e13235dec93056768575

SHA512
0773b9e6adc0aded0d063ff6beb1ea78ce049e7c8e2434939eaa5ca57957ea5cd4a0c3755771ff6377327f94f22185a50f6c041a5ae041c16a0d9fcfdb6fdba4

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupApppt.dll

Filesize
268KB

MD5
6d3e51554fd5388d786b74c46f0eefdb

SHA1
6047e8d2c1f6360ad7d7b83070e484c85d68cdfa

SHA256
10c60ae53495ed6e3f8f3e8b1e850d5bee0faf008a890732dfdea1d1741b0a0d

SHA512
9802d8295ad689b99bcefc848aac2309edff3314e8582e837451db7eacf19446e874a4d939103b1bf96606ef3ed5c1f701c31b419b7c146db1c5d051ac6c560b

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\BASupLib.dll

Filesize
47KB

MD5
c2bfebb47d9bc2217770fe8fec8592af

SHA1
b5f5441810d4196650197c842e8f9804912e932c

SHA256
35a7b3ad70c03d3e8fa37db99702482d24e3ac72b89d54874358968673daa1a9

SHA512
06e8edd22e8ac416ee4b9c7cc272db946f62438a13a8384eea709f09d686a9d4b3e780f15772233baf8f5b74c53778d17edc76f084fc77197f2161b16f0060c9

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\LIBLZMA-5.DLL

Filesize
148KB

MD5
c14e76226f89bc3c25fb969279cbce5f

SHA1
cd849ca0b30e28dc1f532c25096004249f1cffd0

SHA256
42ffb6cd4aa8a764907f4d90b8a9b378a212fae65738618c643d9b1f24ef2da4

SHA512
b7c92644d32a7d4f1624a8fbf8e624abd147d349e602a71f577035912243739f70557db02067cb9fe7795b943e644f7650413bceebe88467ee40bfdcdc4e4de6

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\LibLZMA-5.dll

Filesize
148KB

MD5
c14e76226f89bc3c25fb969279cbce5f

SHA1
cd849ca0b30e28dc1f532c25096004249f1cffd0

SHA256
42ffb6cd4aa8a764907f4d90b8a9b378a212fae65738618c643d9b1f24ef2da4

SHA512
b7c92644d32a7d4f1624a8fbf8e624abd147d349e602a71f577035912243739f70557db02067cb9fe7795b943e644f7650413bceebe88467ee40bfdcdc4e4de6

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\TURBOJPEG.DLL

Filesize
582KB

MD5
7dc0d6f5eea5a14e6ae20306e0bbfc90

SHA1
4449db37abcff7de5520e08de2533b5b9bb3d10b

SHA256
5620c18af5cfa913d7147cf24b0e84dbeee0724eab1436d9c955636532e57b99

SHA512
960715ca6afe84cf78aa3ddf51fe1e0663f7ef764786d40004f2ac203c2aaeb09337f0424803c9f1474a4e29f3a4fbdc1cf1c177ccfef8a3edb21bc3fa514bb9

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\TurboJPEG.dll

Filesize
582KB

MD5
7dc0d6f5eea5a14e6ae20306e0bbfc90

SHA1
4449db37abcff7de5520e08de2533b5b9bb3d10b

SHA256
5620c18af5cfa913d7147cf24b0e84dbeee0724eab1436d9c955636532e57b99

SHA512
960715ca6afe84cf78aa3ddf51fe1e0663f7ef764786d40004f2ac203c2aaeb09337f0424803c9f1474a4e29f3a4fbdc1cf1c177ccfef8a3edb21bc3fa514bb9

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\ZLIB1.DLL

Filesize
105KB

MD5
b8a9e91134e7c89440a0f95470d5e47b

SHA1
3cbcee30fc0a7e9807931bc0dafceb627042bfc9

SHA256
42967a768f341d9ce5174eb38a4d63754c3c41739e7d88f4e39cd7354c1fac71

SHA512
e8583ea94b9d1321889359317e367abc88e90e96d0d9243258244a527ffa2b13ab97d0787693ca328960ceb934ea11eefd14abafd640a654473c26e420d2ec54

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\libeay32.dll

Filesize
1.5MB

MD5
6ca47ddff910a5c83fc2211d94b8b4ec

SHA1
4652d350cad6b6a7def0e5da9d21004fe71b724f

SHA256
67aebdf40198040d050dbe8ad62408bd561642a550cd2131de59c3af87f84e07

SHA512
996154d29a45f5b56cb1d40aaa22c096aa04a83959d8a10c0e2316e038f4fb0819dccf5f639e3157d7221a00adef09c04722d261728c29ff54b628df8901855a

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\libeay32.dll

Filesize
1.5MB

MD5
6ca47ddff910a5c83fc2211d94b8b4ec

SHA1
4652d350cad6b6a7def0e5da9d21004fe71b724f

SHA256
67aebdf40198040d050dbe8ad62408bd561642a550cd2131de59c3af87f84e07

SHA512
996154d29a45f5b56cb1d40aaa22c096aa04a83959d8a10c0e2316e038f4fb0819dccf5f639e3157d7221a00adef09c04722d261728c29ff54b628df8901855a

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\ssleay32.dll

Filesize
325KB

MD5
c3835f0ccb5f592110689fc27e46dff4

SHA1
da05af65a0652de0322c707444792604157ea7cd

SHA256
70d03b673b04d129fea79a59621e79b1a73f9a927368db640cbe2d43d6a07635

SHA512
af6d24f4bcd05d35793fa729823327f257e26b87583a16f3a730980288398cbaaffdec61aff20f20e80cfe5bd7791f8c8a7e1f20a18086ea7194cfaf41ebb6e0

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\ssleay32.dll

Filesize
325KB

MD5
c3835f0ccb5f592110689fc27e46dff4

SHA1
da05af65a0652de0322c707444792604157ea7cd

SHA256
70d03b673b04d129fea79a59621e79b1a73f9a927368db640cbe2d43d6a07635

SHA512
af6d24f4bcd05d35793fa729823327f257e26b87583a16f3a730980288398cbaaffdec61aff20f20e80cfe5bd7791f8c8a7e1f20a18086ea7194cfaf41ebb6e0

Download Submit
C:\Users\Admin\AppData\Local\BeAnywhere Support Express\GetSupport\zlib1.dll

Filesize
105KB

MD5
b8a9e91134e7c89440a0f95470d5e47b

SHA1
3cbcee30fc0a7e9807931bc0dafceb627042bfc9

SHA256
42967a768f341d9ce5174eb38a4d63754c3c41739e7d88f4e39cd7354c1fac71

SHA512
e8583ea94b9d1321889359317e367abc88e90e96d0d9243258244a527ffa2b13ab97d0787693ca328960ceb934ea11eefd14abafd640a654473c26e420d2ec54

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\WinVersion.dll

Filesize
40KB

MD5
651bb25f2fa2d08e3b284afc5c5b130f

SHA1
3ebdbd35637cdf810099daa9a85956cae3605602

SHA256
335ba81d721f170151e8e21a142a4d81a3c4ebded9d355f74aa4a25d79efdf44

SHA512
85e65649519b1af71740bb66ec905bbbd9d155e6e2a0018730a277248c61e4209b205ab29d0edf6422845ef33fe8a0a3d198bf80755d52251816cfc6bb5f19f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\WinVersion.dll

Filesize
40KB

MD5
651bb25f2fa2d08e3b284afc5c5b130f

SHA1
3ebdbd35637cdf810099daa9a85956cae3605602

SHA256
335ba81d721f170151e8e21a142a4d81a3c4ebded9d355f74aa4a25d79efdf44

SHA512
85e65649519b1af71740bb66ec905bbbd9d155e6e2a0018730a277248c61e4209b205ab29d0edf6422845ef33fe8a0a3d198bf80755d52251816cfc6bb5f19f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\XMLConfigPlugIn.dll

Filesize
49KB

MD5
9684eb9f2317585b78ce5a78a5d70907

SHA1
c6bfbc1be6648a98bde3fc066518e8773bf52ab4

SHA256
6b3f9a3d97258bbd516ba737f1f47a46145fb6fe5cf3e8263715b3ff2aaf4f20

SHA512
fe062c1a95bf3140d2db411c5b6d76dfbac37baf5d0979c8a8497c7a4925544462af738944ec402e2e57faa516b48b0deb97fddfb5b5d0092649b72194c1491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx818B.tmp\XMLConfigPlugIn.dll

Filesize
49KB

MD5
9684eb9f2317585b78ce5a78a5d70907

SHA1
c6bfbc1be6648a98bde3fc066518e8773bf52ab4

SHA256
6b3f9a3d97258bbd516ba737f1f47a46145fb6fe5cf3e8263715b3ff2aaf4f20

SHA512
fe062c1a95bf3140d2db411c5b6d76dfbac37baf5d0979c8a8497c7a4925544462af738944ec402e2e57faa516b48b0deb97fddfb5b5d0092649b72194c1491f

Download Submit
memory/2796-134-0x00000000024E0000-0x00000000024EF000-memory.dmp

Filesize
60KB

Download
memory/2796-138-0x00000000024E0000-0x00000000024EF000-memory.dmp

Filesize
60KB

Download
memory/2828-150-0x0000000000400000-0x0000000000AA7000-memory.dmp

Filesize
6.7MB

Download