Analysis
-
max time kernel
148s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:59
Static task
static1
Behavioral task
behavioral1
Sample
8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe
Resource
win10v2004-20220812-en
General
-
Target
8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe
-
Size
45KB
-
MD5
07a412834d3c4b96ac079a4e2cf1c3a0
-
SHA1
26a5398e2d42f9ab73667e38e78bbd6363709355
-
SHA256
8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d
-
SHA512
00d2a067d1f88e8ac66bcb04ad1907fc47eaeb0c7d030b00a1beb6da83e4a1ae7dab8d8d83e3e501bfffb7a3585866f41b0b3293d369311533963c0fcb232bc6
-
SSDEEP
768:DBlMRpTIOV2bvM901W/gj5PV0ygta1aRSgfYLT77PbVAzHDb+znLu/1H5Y:DBCRpcOV2bvTW/stgta1aRX0THsHDb/
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
Processes:
8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe -
Executes dropped EXE 1 IoCs
Processes:
Bgmnejip.exepid process 2036 Bgmnejip.exe -
Drops file in System32 directory 3 IoCs
Processes:
8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Bgmnejip.exe 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe File created C:\Windows\SysWOW64\Ohopijbb.dll 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe File created C:\Windows\SysWOW64\Bgmnejip.exe 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
Bgmnejip.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess Bgmnejip.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess\BrowseNewProcess = "yes" Bgmnejip.exe -
Modifies registry class 6 IoCs
Processes:
8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohopijbb.dll" 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Bgmnejip.exepid process 2036 Bgmnejip.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exedescription pid process target process PID 4980 wrote to memory of 2036 4980 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe Bgmnejip.exe PID 4980 wrote to memory of 2036 4980 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe Bgmnejip.exe PID 4980 wrote to memory of 2036 4980 8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe Bgmnejip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe"C:\Users\Admin\AppData\Local\Temp\8285247cf6343e420162f48a986428c3e06aad70284b7497ebda168f1451b00d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Bgmnejip.exeC:\Windows\system32\Bgmnejip.exe2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Bgmnejip.exeFilesize
45KB
MD596cda83f692822bf6e9e631165632f89
SHA191863c52eb5e15e57540943b85394d47e22c6e8b
SHA256a849ed65c14bda2594244caaf20509d48b6ec85d40cf7076746aaf80c78ec57a
SHA512e043e14b814434f18bf3640c7e34d754be5e25ea294340247b2572f70648354c9e4c5d8995daa1c72e117cbca450cc118e3b8774834d88a8a78421ec32ee5e3a
-
C:\Windows\SysWOW64\Bgmnejip.exeFilesize
45KB
MD596cda83f692822bf6e9e631165632f89
SHA191863c52eb5e15e57540943b85394d47e22c6e8b
SHA256a849ed65c14bda2594244caaf20509d48b6ec85d40cf7076746aaf80c78ec57a
SHA512e043e14b814434f18bf3640c7e34d754be5e25ea294340247b2572f70648354c9e4c5d8995daa1c72e117cbca450cc118e3b8774834d88a8a78421ec32ee5e3a
-
memory/2036-132-0x0000000000000000-mapping.dmp
-
memory/2036-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2036-137-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4980-135-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB