bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

Analysis

max time kernel
192s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Size

285KB
MD5

6aeb6f5ba1e1ac048b9e077e126c3dba
SHA1

a8334a547ac9e32771fe518c9b98167dfd459f66
SHA256

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f
SHA512

31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6
SSDEEP

6144:cldvE2Qugh1/Cdh95IAWq5P47Vpn5JOkf4bEm/z2RbOy:clwwXIAWqqTNf4vBy

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe\""	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Executes dropped EXE 3 IoCs

Processes:

dllnh.exedllnh.exedllnh.exe

pid process

912 dllnh.exe
2336 dllnh.exe
4200 dllnh.exe

pid	process
912	dllnh.exe
2336	dllnh.exe
4200	dllnh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllnh.exedllnh.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllnh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dllnh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exeWScript.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Systnh = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe\""	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe

Drops file in System32 directory 1 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exedllnh.exedllnh.exe

description	pid	process	target process
PID 1448 set thread context of 1752	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1752 set thread context of 4212	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 912 set thread context of 2336	912	dllnh.exe	dllnh.exe
PID 2336 set thread context of 4200	2336	dllnh.exe	dllnh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exedllnh.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exedllnh.exe

pid	process
1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
912	dllnh.exe
912	dllnh.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
2336	dllnh.exe
2336	dllnh.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Token: SeDebugPrivilege	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Token: SeDebugPrivilege	912	dllnh.exe
Token: SeDebugPrivilege	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Token: SeDebugPrivilege	2336	dllnh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

pid process

4212 bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

pid	process
4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exeexplorer.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exeexplorer.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exedllnh.exeexplorer.exedllnh.exeexplorer.exe

description	pid	process	target process
PID 1448 wrote to memory of 3796	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1448 wrote to memory of 3796	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1448 wrote to memory of 3796	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1448 wrote to memory of 3352	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 3352	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 3352	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 1752	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 1752	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 1752	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 1752	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 1752	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 1752	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 1752	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1448 wrote to memory of 1752	1448	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 260 wrote to memory of 2324	260	explorer.exe	WScript.exe
PID 260 wrote to memory of 2324	260	explorer.exe	WScript.exe
PID 1752 wrote to memory of 3196	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1752 wrote to memory of 3196	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1752 wrote to memory of 3196	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1752 wrote to memory of 4212	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1752 wrote to memory of 4212	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1752 wrote to memory of 4212	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1752 wrote to memory of 4212	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1752 wrote to memory of 4212	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1752 wrote to memory of 4212	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1752 wrote to memory of 4212	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1752 wrote to memory of 4212	1752	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1432 wrote to memory of 1908	1432	explorer.exe	WScript.exe
PID 1432 wrote to memory of 1908	1432	explorer.exe	WScript.exe
PID 4212 wrote to memory of 912	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 4212 wrote to memory of 912	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 4212 wrote to memory of 912	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 912 wrote to memory of 2328	912	dllnh.exe	explorer.exe
PID 912 wrote to memory of 2328	912	dllnh.exe	explorer.exe
PID 912 wrote to memory of 2328	912	dllnh.exe	explorer.exe
PID 912 wrote to memory of 2336	912	dllnh.exe	dllnh.exe
PID 912 wrote to memory of 2336	912	dllnh.exe	dllnh.exe
PID 912 wrote to memory of 2336	912	dllnh.exe	dllnh.exe
PID 912 wrote to memory of 2336	912	dllnh.exe	dllnh.exe
PID 912 wrote to memory of 2336	912	dllnh.exe	dllnh.exe
PID 912 wrote to memory of 2336	912	dllnh.exe	dllnh.exe
PID 912 wrote to memory of 2336	912	dllnh.exe	dllnh.exe
PID 912 wrote to memory of 2336	912	dllnh.exe	dllnh.exe
PID 3140 wrote to memory of 2168	3140	explorer.exe	WScript.exe
PID 3140 wrote to memory of 2168	3140	explorer.exe	WScript.exe
PID 2336 wrote to memory of 4664	2336	dllnh.exe	explorer.exe
PID 2336 wrote to memory of 4664	2336	dllnh.exe	explorer.exe
PID 2336 wrote to memory of 4664	2336	dllnh.exe	explorer.exe
PID 2336 wrote to memory of 4200	2336	dllnh.exe	dllnh.exe
PID 2336 wrote to memory of 4200	2336	dllnh.exe	dllnh.exe
PID 2336 wrote to memory of 4200	2336	dllnh.exe	dllnh.exe
PID 2336 wrote to memory of 4200	2336	dllnh.exe	dllnh.exe
PID 2336 wrote to memory of 4200	2336	dllnh.exe	dllnh.exe
PID 2336 wrote to memory of 4200	2336	dllnh.exe	dllnh.exe
PID 2336 wrote to memory of 4200	2336	dllnh.exe	dllnh.exe
PID 2336 wrote to memory of 4200	2336	dllnh.exe	dllnh.exe
PID 4212 wrote to memory of 912	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 4212 wrote to memory of 912	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 4212 wrote to memory of 912	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 4212 wrote to memory of 912	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 4212 wrote to memory of 912	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 3024 wrote to memory of 3732	3024	explorer.exe	WScript.exe
PID 3024 wrote to memory of 3732	3024	explorer.exe	WScript.exe
PID 4212 wrote to memory of 1752	4212	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\vbUyS.vbs
2⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe"
2⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs
3⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212

C:\ProgramData\282268\dllnh.exe
"C:\ProgramData\282268\dllnh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\vbUyS.vbs
5⤵
PID:2328

C:\ProgramData\282268\dllnh.exe
"C:\ProgramData\282268\dllnh.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs
6⤵
PID:4664

C:\ProgramData\282268\dllnh.exe
"C:\ProgramData\282268\dllnh.exe"
6⤵
- Executes dropped EXE
PID:4200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:260

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vbUyS.vbs"
2⤵
- Adds Run key to start application
PID:2324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs"
2⤵
- Adds Run key to start application
PID:1908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vbUyS.vbs"
2⤵
- Adds Run key to start application
PID:2168

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs"
2⤵
- Adds Run key to start application
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\282268\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\ProgramData\282268\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\ProgramData\282268\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\ProgramData\282268\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Utilizer.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs
Filesize
601B

MD5
b148ec19b8c17a86efc29fda32838475

SHA1
d7996849af0d5f644f97d30e88143757b5c01a1a

SHA256
7bfb713dad544c1947719e22f9baf7e499af336125d39f94c8c57bc49daf6fad

SHA512
ff6eab3155e5323c0e56286dca7545bf8f79d8c839ded3a67730e8b74bbd1b5e6728bb4cdd8cd3ef2aa9138a127cfea16df0df492cd18e456af03735e3ace1db

Download Submit
C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs
Filesize
530B

MD5
7326b09383fae634cd23d3b357978b72

SHA1
02cc7623b8c074486c7c501748a7015aeb7a188a

SHA256
d29515b8dfbd7070206327761bcb34ec868e9a38c44a9ed79544a0bc64da97cc

SHA512
98fd6b6920e5532e27e88f6683a365821134ae42dbd5635520e1d961ce8aa3d89eb0f38467a605186296f5314c16cb69da9ae9ab13d80db4e4a00dac1674407c

Download Submit
C:\Users\Admin\AppData\Roaming\vbUyS.vbs
Filesize
530B

MD5
7326b09383fae634cd23d3b357978b72

SHA1
02cc7623b8c074486c7c501748a7015aeb7a188a

SHA256
d29515b8dfbd7070206327761bcb34ec868e9a38c44a9ed79544a0bc64da97cc

SHA512
98fd6b6920e5532e27e88f6683a365821134ae42dbd5635520e1d961ce8aa3d89eb0f38467a605186296f5314c16cb69da9ae9ab13d80db4e4a00dac1674407c

Download Submit
C:\Users\Admin\AppData\Roaming\vbUyS.vbs
Filesize
601B

MD5
b148ec19b8c17a86efc29fda32838475

SHA1
d7996849af0d5f644f97d30e88143757b5c01a1a

SHA256
7bfb713dad544c1947719e22f9baf7e499af336125d39f94c8c57bc49daf6fad

SHA512
ff6eab3155e5323c0e56286dca7545bf8f79d8c839ded3a67730e8b74bbd1b5e6728bb4cdd8cd3ef2aa9138a127cfea16df0df492cd18e456af03735e3ace1db

Download Submit
memory/912-152-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/912-154-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/912-149-0x0000000000000000-mapping.dmp

Download
memory/1448-132-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1448-133-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1752-170-0x0000000005660000-0x0000000005677000-memory.dmp

Filesize
92KB

Download
memory/1752-137-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1752-171-0x0000000005660000-0x0000000005677000-memory.dmp

Filesize
92KB

Download
memory/1752-172-0x0000000005660000-0x0000000005677000-memory.dmp

Filesize
92KB

Download
memory/1752-141-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1752-136-0x0000000000000000-mapping.dmp

Download
memory/1752-139-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1908-146-0x0000000000000000-mapping.dmp

Download
memory/2168-160-0x0000000000000000-mapping.dmp

Download
memory/2324-140-0x0000000000000000-mapping.dmp

Download
memory/2328-155-0x0000000000000000-mapping.dmp

Download
memory/2336-156-0x0000000000000000-mapping.dmp

Download
memory/2336-174-0x0000000006140000-0x0000000006157000-memory.dmp

Filesize
92KB

Download
memory/2336-175-0x0000000006140000-0x0000000006157000-memory.dmp

Filesize
92KB

Download
memory/2336-161-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2336-162-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2336-173-0x0000000006140000-0x0000000006157000-memory.dmp

Filesize
92KB

Download
memory/3196-142-0x0000000000000000-mapping.dmp

Download
memory/3352-135-0x0000000000000000-mapping.dmp

Download
memory/3732-169-0x0000000000000000-mapping.dmp

Download
memory/3796-134-0x0000000000000000-mapping.dmp

Download
memory/4200-164-0x0000000000000000-mapping.dmp

Download
memory/4200-167-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4212-153-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4212-148-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4212-144-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4212-143-0x0000000000000000-mapping.dmp

Download
memory/4664-163-0x0000000000000000-mapping.dmp

Download