Analysis
-
max time kernel
136s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-11-2022 12:14
General
-
Target
c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe
-
Size
156KB
-
MD5
8cbb847d4b417c7890e971fa1816e47e
-
SHA1
431e993c91ef518391120a3d6c7d4cdaa8892d92
-
SHA256
c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7
-
SHA512
639512f9a8f05f6fca820eaf2a66934b5cb738dc01bd62fcf9c5e3f06c1c9dd7c725031d24a024f2fa11e28050ba49d2db91ed95d6649bfc76a12ea2c0d14c7f
-
SSDEEP
3072:D/JNqhkWYneP6Gz8pB00e+te46Jkw76aDEmmBsBX4XSYJPkB3K3Wn3GAtUY:DRNqan00e+W2N/i4JPkBK3Wn3GAtV
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe"C:\Users\Admin\AppData\Local\Temp\c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe /s c:\Users\Admin\bfjdrhlu\bfjdrhlu.dll2⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s c:\Users\Admin\bfjdrhlu\bfjdrhlu.dll2⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:216 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5a42abb21be3940a88a73771b18ed0f35
SHA1de12f2f619852ef135ee726614c43c2033ec5743
SHA256edaf1fb1f6ca2a0caf5f4d85b3f13507bd5df4971fa9ea8a6e08c1227f1ec667
SHA512c1f775deb2bcb2e0c48ed74dec1cd95f34690ca16d6465175d52d60ae45e746201cc608a58b6f8f080b7e6a7893993b61093c7d9ff63fa735ebaba61ddd0ebf7
-
Filesize
434B
MD51efe80d924535beaea8c6a6696844da4
SHA13ea16d7a212878a42dedf09c02ff42573d9152f6
SHA256aabe0e7c59eb23c226ae7e5bad2abdd98de8e91aa58e5a2570c0ebb8798ad8e4
SHA512547dfd76d46afb57977d9f52b67af7cee36fcc90de2f27f6597c9f80c7f3f825308d2aed0358f44b83ac60bc563fb88b2f7d557043bb322498ab09fcd3772092