3da539d2f3f68c823e556e637665b03f2501e510c36db2429fe17ad44e903da6

General

Target

Petro-LPO-206101-371220326BOQ.exe
Size

834KB
MD5

c41ab4abfd11308b0f3b10cbd57a3a36
SHA1

85959216592c0ca55c91b880c242d2ff7eeca49d
SHA256

3da539d2f3f68c823e556e637665b03f2501e510c36db2429fe17ad44e903da6
SHA512

04cc28f9f8b0bae22dfcff965faef945937e5a4fe8b8ab1a795a32ac8d30b11c647b2f0a37f6f32d723211dc8bba3050f3032c5c2f1c6f397d3643320c39a637
SSDEEP

12288:L6mvmrAIpXGkCHR3uU9M4/1Y2lranhBzDwvZ+v6cxa:LdmrAIpX5ZWY2ehBG+vy

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\bsfgmanh.exe,"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

bsfgmanh.exe

pid process

1748 bsfgmanh.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1068 cmd.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

952 PING.EXE
1736 PING.EXE
692 PING.EXE

pid	process
1748	bsfgmanh.exe

pid	process
1068	cmd.exe

pid	process
952	PING.EXE
1736	PING.EXE
692	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Petro-LPO-206101-371220326BOQ.exebsfgmanh.exe

pid	process
2012	Petro-LPO-206101-371220326BOQ.exe
2012	Petro-LPO-206101-371220326BOQ.exe
2012	Petro-LPO-206101-371220326BOQ.exe
1748	bsfgmanh.exe
1748	bsfgmanh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Petro-LPO-206101-371220326BOQ.exebsfgmanh.exe

description pid process

Token: SeDebugPrivilege 2012 Petro-LPO-206101-371220326BOQ.exe
Token: SeDebugPrivilege 1748 bsfgmanh.exe

description	pid	process
Token: SeDebugPrivilege	2012	Petro-LPO-206101-371220326BOQ.exe
Token: SeDebugPrivilege	1748	bsfgmanh.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Petro-LPO-206101-371220326BOQ.execmd.execmd.exe

description	pid	process	target process
PID 2012 wrote to memory of 1808	2012	Petro-LPO-206101-371220326BOQ.exe	cmd.exe
PID 2012 wrote to memory of 1808	2012	Petro-LPO-206101-371220326BOQ.exe	cmd.exe
PID 2012 wrote to memory of 1808	2012	Petro-LPO-206101-371220326BOQ.exe	cmd.exe
PID 2012 wrote to memory of 1808	2012	Petro-LPO-206101-371220326BOQ.exe	cmd.exe
PID 1808 wrote to memory of 952	1808	cmd.exe	PING.EXE
PID 1808 wrote to memory of 952	1808	cmd.exe	PING.EXE
PID 1808 wrote to memory of 952	1808	cmd.exe	PING.EXE
PID 1808 wrote to memory of 952	1808	cmd.exe	PING.EXE
PID 2012 wrote to memory of 1068	2012	Petro-LPO-206101-371220326BOQ.exe	cmd.exe
PID 2012 wrote to memory of 1068	2012	Petro-LPO-206101-371220326BOQ.exe	cmd.exe
PID 2012 wrote to memory of 1068	2012	Petro-LPO-206101-371220326BOQ.exe	cmd.exe
PID 2012 wrote to memory of 1068	2012	Petro-LPO-206101-371220326BOQ.exe	cmd.exe
PID 1068 wrote to memory of 1736	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 1736	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 1736	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 1736	1068	cmd.exe	PING.EXE
PID 1808 wrote to memory of 328	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 328	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 328	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 328	1808	cmd.exe	reg.exe
PID 1068 wrote to memory of 692	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 692	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 692	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 692	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 1748	1068	cmd.exe	bsfgmanh.exe
PID 1068 wrote to memory of 1748	1068	cmd.exe	bsfgmanh.exe
PID 1068 wrote to memory of 1748	1068	cmd.exe	bsfgmanh.exe
PID 1068 wrote to memory of 1748	1068	cmd.exe	bsfgmanh.exe

C:\Users\Admin\AppData\Local\Temp\Petro-LPO-206101-371220326BOQ.exe
"C:\Users\Admin\AppData\Local\Temp\Petro-LPO-206101-371220326BOQ.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\bsfgmanh.exe,"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 8
    3⤵
    - Runs ping.exe
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\bsfgmanh.exe,"
    3⤵
    - Modifies WinLogon for persistence
    PID:328
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Petro-LPO-206101-371220326BOQ.exe" "C:\Users\Admin\AppData\Roaming\bsfgmanh.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\AppData\Roaming\bsfgmanh.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 14
    3⤵
    - Runs ping.exe
    PID:1736
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 14
    3⤵
    - Runs ping.exe
    PID:692
- - C:\Users\Admin\AppData\Roaming\bsfgmanh.exe
    "C:\Users\Admin\AppData\Roaming\bsfgmanh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bsfgmanh.exe

Filesize
834KB

MD5
c41ab4abfd11308b0f3b10cbd57a3a36

SHA1
85959216592c0ca55c91b880c242d2ff7eeca49d

SHA256
3da539d2f3f68c823e556e637665b03f2501e510c36db2429fe17ad44e903da6

SHA512
04cc28f9f8b0bae22dfcff965faef945937e5a4fe8b8ab1a795a32ac8d30b11c647b2f0a37f6f32d723211dc8bba3050f3032c5c2f1c6f397d3643320c39a637

Download Submit
C:\Users\Admin\AppData\Roaming\bsfgmanh.exe

Filesize
834KB

MD5
c41ab4abfd11308b0f3b10cbd57a3a36

SHA1
85959216592c0ca55c91b880c242d2ff7eeca49d

SHA256
3da539d2f3f68c823e556e637665b03f2501e510c36db2429fe17ad44e903da6

SHA512
04cc28f9f8b0bae22dfcff965faef945937e5a4fe8b8ab1a795a32ac8d30b11c647b2f0a37f6f32d723211dc8bba3050f3032c5c2f1c6f397d3643320c39a637

Download Submit
\Users\Admin\AppData\Roaming\bsfgmanh.exe

Filesize
834KB

MD5
c41ab4abfd11308b0f3b10cbd57a3a36

SHA1
85959216592c0ca55c91b880c242d2ff7eeca49d

SHA256
3da539d2f3f68c823e556e637665b03f2501e510c36db2429fe17ad44e903da6

SHA512
04cc28f9f8b0bae22dfcff965faef945937e5a4fe8b8ab1a795a32ac8d30b11c647b2f0a37f6f32d723211dc8bba3050f3032c5c2f1c6f397d3643320c39a637

Download Submit
memory/328-62-0x0000000000000000-mapping.dmp

Download
memory/692-63-0x0000000000000000-mapping.dmp

Download
memory/952-59-0x0000000000000000-mapping.dmp

Download
memory/1068-60-0x0000000000000000-mapping.dmp

Download
memory/1736-61-0x0000000000000000-mapping.dmp

Download
memory/1748-68-0x00000000012C0000-0x0000000001396000-memory.dmp

Filesize
856KB

Download
memory/1748-71-0x00000000010A0000-0x00000000010A6000-memory.dmp

Filesize
24KB

Download
memory/1748-65-0x0000000000000000-mapping.dmp

Download
memory/1748-70-0x0000000000F50000-0x0000000000F6A000-memory.dmp

Filesize
104KB

Download
memory/1808-58-0x0000000000000000-mapping.dmp

Download
memory/2012-57-0x0000000000C90000-0x0000000000CA8000-memory.dmp

Filesize
96KB

Download
memory/2012-55-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/2012-56-0x0000000000680000-0x00000000006B0000-memory.dmp

Filesize
192KB

Download
memory/2012-54-0x0000000000DB0000-0x0000000000E86000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads