3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b

General

Target

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Size

730KB
MD5

b849888deba833c47e824cd25adb39d6
SHA1

be8c12fb9a3fc59bb98113d5e1491c449a702a3a
SHA256

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b
SHA512

f9d33e634fe89b286aaeefc3d424ebbcea74e74d328afca9dc99a7eb0f88880c4802eb66fe76e6c9d88db26b79390bfab35ef5d4d903112206a46bb861bfa75c
SSDEEP

12288:fH16hjKvCGe81mt5zgKGORvpeTMrq1b0hcZza+bx3yrqupt5Ye4i:/16QvC/tyiRv3Wu0x3y+atWe4i

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome\\svchost.exe"	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

584 tmp.exe

pid	process
584	tmp.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bqzohjblz.exe\DisableExceptionChainValidation	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bqzohjblz.exe	tmp.exe

Loads dropped DLL 1 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

pid process

1444 3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	tmp.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira	tmp.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

tmp.exe

description ioc process

File created C:\ProgramData\%temp%\desktop.ini tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\ProgramData\%temp%\desktop.ini	tmp.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1556 schtasks.exe

pid	process
1556	schtasks.exe

Modifies registry class 7 IoCs

Processes:

tmp.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{FF0B3EF0-F085-8E4C-992C-8C5CCA378126}\68C10857\CG1\HAL = 05ee0000	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{FF0B3EF0-F085-8E4C-992C-8C5CCA378126}\68C10857\ê' u3	tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{FF0B3EF0-F085-8E4C-992C-8C5CCA378126}\68C10857\ê' u3\BID = 2000080019000b00e60700001400000019000e00040024000000000074cb8063	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{FF0B3EF0-F085-8E4C-992C-8C5CCA378126}\68C10857\CG1	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{FF0B3EF0-F085-8E4C-992C-8C5CCA378126}	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{FF0B3EF0-F085-8E4C-992C-8C5CCA378126}\68C10857	tmp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

pid	process
1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

tmp.exe

pid process

584 tmp.exe
584 tmp.exe

pid	process
584	tmp.exe
584	tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Token: SeRestorePrivilege	584	tmp.exe
Token: SeBackupPrivilege	584	tmp.exe
Token: SeDebugPrivilege	584	tmp.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.execmd.exewscript.exetmp.exe

description	pid	process	target process
PID 1444 wrote to memory of 1088	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	cmd.exe
PID 1444 wrote to memory of 1088	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	cmd.exe
PID 1444 wrote to memory of 1088	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	cmd.exe
PID 1444 wrote to memory of 1088	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	cmd.exe
PID 1088 wrote to memory of 1864	1088	cmd.exe	wscript.exe
PID 1088 wrote to memory of 1864	1088	cmd.exe	wscript.exe
PID 1088 wrote to memory of 1864	1088	cmd.exe	wscript.exe
PID 1088 wrote to memory of 1864	1088	cmd.exe	wscript.exe
PID 1444 wrote to memory of 584	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	tmp.exe
PID 1444 wrote to memory of 584	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	tmp.exe
PID 1444 wrote to memory of 584	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	tmp.exe
PID 1444 wrote to memory of 584	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	tmp.exe
PID 1444 wrote to memory of 1920	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
PID 1444 wrote to memory of 1920	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
PID 1444 wrote to memory of 1920	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
PID 1444 wrote to memory of 1920	1444	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
PID 1864 wrote to memory of 880	1864	wscript.exe	cmd.exe
PID 1864 wrote to memory of 880	1864	wscript.exe	cmd.exe
PID 1864 wrote to memory of 880	1864	wscript.exe	cmd.exe
PID 1864 wrote to memory of 880	1864	wscript.exe	cmd.exe
PID 584 wrote to memory of 1556	584	tmp.exe	schtasks.exe
PID 584 wrote to memory of 1556	584	tmp.exe	schtasks.exe
PID 584 wrote to memory of 1556	584	tmp.exe	schtasks.exe
PID 584 wrote to memory of 1556	584	tmp.exe	schtasks.exe
PID 584 wrote to memory of 728	584	tmp.exe	WerFault.exe
PID 584 wrote to memory of 728	584	tmp.exe	WerFault.exe
PID 584 wrote to memory of 728	584	tmp.exe	WerFault.exe
PID 584 wrote to memory of 728	584	tmp.exe	WerFault.exe
PID 584 wrote to memory of 728	584	tmp.exe	WerFault.exe
PID 584 wrote to memory of 728	584	tmp.exe	WerFault.exe
PID 584 wrote to memory of 728	584	tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
"C:\Users\Admin\AppData\Local\Temp\3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Chrome\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Chrome\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\Chrome\mata2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Chrome\mata2.bat" "
4⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x68C10857" /TR "C:\ProgramData\%temp%\bqzohjblz.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1556

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
3⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
C:\Users\Admin\AppData\Local\Temp\3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
2⤵
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Security Software Discovery

1

T1063

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chrome\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\mata.bat
Filesize
61B

MD5
ed44f40e1fbefabb7cbecc859a8461ea

SHA1
892dd10211373a9e129bfe7c65b43cebc42aff2b

SHA256
6095898b4b78cea9529eac49129d8299d83cb0e0f309bea7cf73a11ee21df23c

SHA512
26458a2dbf59f0e39c0793389ad829d92e23a4425d3d35654dbbe3626b11812d19e584d3610b94ead43c4b77c9e938870d39042d98964f493bc65a865d65c130

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\mata2.bat
Filesize
66B

MD5
d4dd20ff8e053047f87ea2b5d5e739ad

SHA1
3de8e132c5623ec615046f1ec0716bdbfa3a583d

SHA256
240941f0861a4f3ee3c96f46dd1da5ca8e4d4fcee51a9b8b47406f30e899a63b

SHA512
0dff8482262cce3b7a2000370556bed8bde7096853303bb9108c800bb8f69a696680954bf5aa90549d019230cd01eb63d4a34937472487667b1865900ee5960c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\rundll11-.txt
Filesize
730KB

MD5
b849888deba833c47e824cd25adb39d6

SHA1
be8c12fb9a3fc59bb98113d5e1491c449a702a3a

SHA256
3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b

SHA512
f9d33e634fe89b286aaeefc3d424ebbcea74e74d328afca9dc99a7eb0f88880c4802eb66fe76e6c9d88db26b79390bfab35ef5d4d903112206a46bb861bfa75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\svchost.exe
Filesize
730KB

MD5
b849888deba833c47e824cd25adb39d6

SHA1
be8c12fb9a3fc59bb98113d5e1491c449a702a3a

SHA256
3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b

SHA512
f9d33e634fe89b286aaeefc3d424ebbcea74e74d328afca9dc99a7eb0f88880c4802eb66fe76e6c9d88db26b79390bfab35ef5d4d903112206a46bb861bfa75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
138KB

MD5
636e7211c0d5632d238fdcf439edd0b4

SHA1
0c4ca590e1ed635e3b700a715d54a1e5a2ecb590

SHA256
bc787c9c4dcc076dac3683aa88186d48282a65a0eb66af98f1e05fc121be4788

SHA512
796a18531e1cea3f589f057e9dce85dba219f2c0ce1f0ec853b18e7adc897900327a618b903ded765ee947dfea6159304fe9060906811fe73192f09fc3647b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
138KB

MD5
636e7211c0d5632d238fdcf439edd0b4

SHA1
0c4ca590e1ed635e3b700a715d54a1e5a2ecb590

SHA256
bc787c9c4dcc076dac3683aa88186d48282a65a0eb66af98f1e05fc121be4788

SHA512
796a18531e1cea3f589f057e9dce85dba219f2c0ce1f0ec853b18e7adc897900327a618b903ded765ee947dfea6159304fe9060906811fe73192f09fc3647b34

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
138KB

MD5
636e7211c0d5632d238fdcf439edd0b4

SHA1
0c4ca590e1ed635e3b700a715d54a1e5a2ecb590

SHA256
bc787c9c4dcc076dac3683aa88186d48282a65a0eb66af98f1e05fc121be4788

SHA512
796a18531e1cea3f589f057e9dce85dba219f2c0ce1f0ec853b18e7adc897900327a618b903ded765ee947dfea6159304fe9060906811fe73192f09fc3647b34

Download Submit
memory/584-69-0x00000000002D0000-0x000000000031B000-memory.dmp

Filesize
300KB

Download
memory/584-74-0x00000000002D0000-0x000000000031B000-memory.dmp

Filesize
300KB

Download
memory/584-62-0x0000000000000000-mapping.dmp

Download
memory/584-67-0x00000000002D0000-0x000000000031B000-memory.dmp

Filesize
300KB

Download
memory/584-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/728-82-0x0000000000090000-0x0000000000101000-memory.dmp

Filesize
452KB

Download
memory/728-81-0x00000000776A0000-0x0000000077821000-memory.dmp

Filesize
1.5MB

Download
memory/728-73-0x0000000000000000-mapping.dmp

Download
memory/728-75-0x00000000776A0000-0x0000000077821000-memory.dmp

Filesize
1.5MB

Download
memory/728-76-0x0000000000090000-0x0000000000101000-memory.dmp

Filesize
452KB

Download
memory/880-66-0x0000000000000000-mapping.dmp

Download
memory/1088-56-0x0000000000000000-mapping.dmp

Download
memory/1444-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1444-77-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-55-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-79-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-80-0x0000000004CF0000-0x0000000004CFF000-memory.dmp

Filesize
60KB

Download
memory/1556-72-0x0000000000000000-mapping.dmp

Download
memory/1864-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads