cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df

General

Target

cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe
Size

152KB
MD5

615e3c5306a1450aad5d8c90e3af40b0
SHA1

ff427ff44cf25477d63782445137af60bbee71af
SHA256

cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df
SHA512

4eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b
SSDEEP

3072:Ur4dKA1qlsyqkFg4Vh574qBz9eStfG3Iq:VdKeosyqkWShd4qB59s

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bchhy.exe

pid process

2040 bchhy.exe

pid	process
2040	bchhy.exe

Loads dropped DLL 2 IoCs

Processes:

cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe

pid	process
1236	cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe
1236	cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bchhy.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Security Essentials 3.2 = "C:\\ProgramData\\bchhy.exe"	bchhy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\rqmzwcs52kxwxbklissgsbpg3domil1u = "C:\\Users\\Admin\\AppData\\Roaming\\lfj5wwol\\nqxkkwdm.exe"	bchhy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bchhy.execce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	bchhy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bchhy.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exebchhy.exe

description	pid	process
Token: SeDebugPrivilege	1236	cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe
Token: SeDebugPrivilege	2040	bchhy.exe
Token: SeIncreaseQuotaPrivilege	2040	bchhy.exe
Token: SeSecurityPrivilege	2040	bchhy.exe
Token: SeTakeOwnershipPrivilege	2040	bchhy.exe
Token: SeLoadDriverPrivilege	2040	bchhy.exe
Token: SeSystemProfilePrivilege	2040	bchhy.exe
Token: SeSystemtimePrivilege	2040	bchhy.exe
Token: SeProfSingleProcessPrivilege	2040	bchhy.exe
Token: SeIncBasePriorityPrivilege	2040	bchhy.exe
Token: SeCreatePagefilePrivilege	2040	bchhy.exe
Token: SeBackupPrivilege	2040	bchhy.exe
Token: SeRestorePrivilege	2040	bchhy.exe
Token: SeShutdownPrivilege	2040	bchhy.exe
Token: SeDebugPrivilege	2040	bchhy.exe
Token: SeSystemEnvironmentPrivilege	2040	bchhy.exe
Token: SeRemoteShutdownPrivilege	2040	bchhy.exe
Token: SeUndockPrivilege	2040	bchhy.exe
Token: SeManageVolumePrivilege	2040	bchhy.exe
Token: 33	2040	bchhy.exe
Token: 34	2040	bchhy.exe
Token: 35	2040	bchhy.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe

description	pid	process	target process
PID 1236 wrote to memory of 2040	1236	cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe	bchhy.exe
PID 1236 wrote to memory of 2040	1236	cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe	bchhy.exe
PID 1236 wrote to memory of 2040	1236	cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe	bchhy.exe
PID 1236 wrote to memory of 2040	1236	cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe	bchhy.exe

C:\Users\Admin\AppData\Local\Temp\cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe
"C:\Users\Admin\AppData\Local\Temp\cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\ProgramData\bchhy.exe
"C:\ProgramData\bchhy.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bchhy.exe
Filesize
152KB

MD5
615e3c5306a1450aad5d8c90e3af40b0

SHA1
ff427ff44cf25477d63782445137af60bbee71af

SHA256
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df

SHA512
4eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b

Download Submit
C:\ProgramData\bchhy.exe
Filesize
152KB

MD5
615e3c5306a1450aad5d8c90e3af40b0

SHA1
ff427ff44cf25477d63782445137af60bbee71af

SHA256
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df

SHA512
4eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cscomp.dll
Filesize
1.1MB

MD5
c1b5307377c98f87e0152c44e9ff8dee

SHA1
5f2729e83009c39373d3e76d64e081c88da8391a

SHA256
e4b8cacdd50a9a6457708e3d15ddfa3cf23b444582fd37ba50444b53802ff0c7

SHA512
a763a5cbb06c8746d413f213f479eecc80e9c21e8e0eacc1213465dce56852448a3c8791402d91806e4bccf6714deacb0747025a77a55aa0e141573b6b455a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmnk3zha.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\ProgramData\bchhy.exe
Filesize
152KB

MD5
615e3c5306a1450aad5d8c90e3af40b0

SHA1
ff427ff44cf25477d63782445137af60bbee71af

SHA256
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df

SHA512
4eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b

Download Submit
\ProgramData\bchhy.exe
Filesize
152KB

MD5
615e3c5306a1450aad5d8c90e3af40b0

SHA1
ff427ff44cf25477d63782445137af60bbee71af

SHA256
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df

SHA512
4eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b

Download Submit
memory/1236-61-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1236-56-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1236-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1236-55-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download
memory/2040-66-0x0000000073C50000-0x00000000741FB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-67-0x0000000073C50000-0x00000000741FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads