Analysis
-
max time kernel
153s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:07
Static task
static1
Behavioral task
behavioral1
Sample
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe
Resource
win10v2004-20221111-en
General
-
Target
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe
-
Size
152KB
-
MD5
615e3c5306a1450aad5d8c90e3af40b0
-
SHA1
ff427ff44cf25477d63782445137af60bbee71af
-
SHA256
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df
-
SHA512
4eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b
-
SSDEEP
3072:Ur4dKA1qlsyqkFg4Vh574qBz9eStfG3Iq:VdKeosyqkWShd4qB59s
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bchhy.exepid process 2040 bchhy.exe -
Loads dropped DLL 2 IoCs
Processes:
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exepid process 1236 cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe 1236 cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bchhy.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Security Essentials 3.2 = "C:\\ProgramData\\bchhy.exe" bchhy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\rqmzwcs52kxwxbklissgsbpg3domil1u = "C:\\Users\\Admin\\AppData\\Roaming\\lfj5wwol\\nqxkkwdm.exe" bchhy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bchhy.execce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 bchhy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier bchhy.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exebchhy.exedescription pid process Token: SeDebugPrivilege 1236 cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe Token: SeDebugPrivilege 2040 bchhy.exe Token: SeIncreaseQuotaPrivilege 2040 bchhy.exe Token: SeSecurityPrivilege 2040 bchhy.exe Token: SeTakeOwnershipPrivilege 2040 bchhy.exe Token: SeLoadDriverPrivilege 2040 bchhy.exe Token: SeSystemProfilePrivilege 2040 bchhy.exe Token: SeSystemtimePrivilege 2040 bchhy.exe Token: SeProfSingleProcessPrivilege 2040 bchhy.exe Token: SeIncBasePriorityPrivilege 2040 bchhy.exe Token: SeCreatePagefilePrivilege 2040 bchhy.exe Token: SeBackupPrivilege 2040 bchhy.exe Token: SeRestorePrivilege 2040 bchhy.exe Token: SeShutdownPrivilege 2040 bchhy.exe Token: SeDebugPrivilege 2040 bchhy.exe Token: SeSystemEnvironmentPrivilege 2040 bchhy.exe Token: SeRemoteShutdownPrivilege 2040 bchhy.exe Token: SeUndockPrivilege 2040 bchhy.exe Token: SeManageVolumePrivilege 2040 bchhy.exe Token: 33 2040 bchhy.exe Token: 34 2040 bchhy.exe Token: 35 2040 bchhy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exedescription pid process target process PID 1236 wrote to memory of 2040 1236 cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe bchhy.exe PID 1236 wrote to memory of 2040 1236 cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe bchhy.exe PID 1236 wrote to memory of 2040 1236 cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe bchhy.exe PID 1236 wrote to memory of 2040 1236 cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe bchhy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe"C:\Users\Admin\AppData\Local\Temp\cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\bchhy.exe"C:\ProgramData\bchhy.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\bchhy.exeFilesize
152KB
MD5615e3c5306a1450aad5d8c90e3af40b0
SHA1ff427ff44cf25477d63782445137af60bbee71af
SHA256cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df
SHA5124eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b
-
C:\ProgramData\bchhy.exeFilesize
152KB
MD5615e3c5306a1450aad5d8c90e3af40b0
SHA1ff427ff44cf25477d63782445137af60bbee71af
SHA256cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df
SHA5124eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b
-
C:\Users\Admin\AppData\Local\Temp\cscomp.dllFilesize
1.1MB
MD5c1b5307377c98f87e0152c44e9ff8dee
SHA15f2729e83009c39373d3e76d64e081c88da8391a
SHA256e4b8cacdd50a9a6457708e3d15ddfa3cf23b444582fd37ba50444b53802ff0c7
SHA512a763a5cbb06c8746d413f213f479eecc80e9c21e8e0eacc1213465dce56852448a3c8791402d91806e4bccf6714deacb0747025a77a55aa0e141573b6b455a46
-
C:\Users\Admin\AppData\Local\Temp\qmnk3zha.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
\ProgramData\bchhy.exeFilesize
152KB
MD5615e3c5306a1450aad5d8c90e3af40b0
SHA1ff427ff44cf25477d63782445137af60bbee71af
SHA256cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df
SHA5124eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b
-
\ProgramData\bchhy.exeFilesize
152KB
MD5615e3c5306a1450aad5d8c90e3af40b0
SHA1ff427ff44cf25477d63782445137af60bbee71af
SHA256cce8232f5bf28c3582ffb28fa70cdf37fab4209fbc8c59255d55ae76e97e15df
SHA5124eb9da8ed088940bb47809b29d959dfd6b0553eb43584562261673ba304138c78d1c0892da0c5cd15bde77e15b0e42b96d43e63bfa9ea9f93df6284f4779922b
-
memory/1236-61-0x0000000074200000-0x00000000747AB000-memory.dmpFilesize
5.7MB
-
memory/1236-56-0x0000000074200000-0x00000000747AB000-memory.dmpFilesize
5.7MB
-
memory/1236-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmpFilesize
8KB
-
memory/1236-55-0x0000000074200000-0x00000000747AB000-memory.dmpFilesize
5.7MB
-
memory/2040-59-0x0000000000000000-mapping.dmp
-
memory/2040-66-0x0000000073C50000-0x00000000741FB000-memory.dmpFilesize
5.7MB
-
memory/2040-67-0x0000000073C50000-0x00000000741FB000-memory.dmpFilesize
5.7MB