Analysis
-
max time kernel
112s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 18:19
Static task
static1
Behavioral task
behavioral1
Sample
4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe
Resource
win10v2004-20220901-en
General
-
Target
4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe
-
Size
2.0MB
-
MD5
6f8572e5cca28c7103d72cea751d10bf
-
SHA1
eeaab748db9bdca67ae4d279012c3f003cc8a3bb
-
SHA256
4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634
-
SHA512
bfa5d01aaacba0f20b19c54705cef543fdbceb588fc86a4a1ad5ba7be71dc1a043ab6e6cb4b7faea25c3aa3e6499717e5f306d2ac0a7240d65a8e149cdb77abe
-
SSDEEP
49152:sMMMMMMMMMMMMMMMMMMMMMMMM9MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMs:sMMMMMMMMMMMMMMMMMMMMMMMM9MMMMMs
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bnfgsvjruhna.exepid process 4768 bnfgsvjruhna.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bnfgsvjruhna.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce bnfgsvjruhna.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\53392G~1 = "C:\\Users\\Admin\\53392G~1\\fhutj.vbs" bnfgsvjruhna.exe -
Processes:
bnfgsvjruhna.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bnfgsvjruhna.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bnfgsvjruhna.exedescription pid process target process PID 4768 set thread context of 4528 4768 bnfgsvjruhna.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3292 4528 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
bnfgsvjruhna.exepid process 4768 bnfgsvjruhna.exe 4768 bnfgsvjruhna.exe 4768 bnfgsvjruhna.exe 4768 bnfgsvjruhna.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bnfgsvjruhna.exedescription pid process Token: SeDebugPrivilege 4768 bnfgsvjruhna.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exebnfgsvjruhna.exedescription pid process target process PID 1616 wrote to memory of 4768 1616 4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe bnfgsvjruhna.exe PID 1616 wrote to memory of 4768 1616 4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe bnfgsvjruhna.exe PID 1616 wrote to memory of 4768 1616 4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe bnfgsvjruhna.exe PID 4768 wrote to memory of 4528 4768 bnfgsvjruhna.exe RegSvcs.exe PID 4768 wrote to memory of 4528 4768 bnfgsvjruhna.exe RegSvcs.exe PID 4768 wrote to memory of 4528 4768 bnfgsvjruhna.exe RegSvcs.exe PID 4768 wrote to memory of 4528 4768 bnfgsvjruhna.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe"C:\Users\Admin\AppData\Local\Temp\4a7dc47d4721fc508ff02f7301dc91f0f9847297785702253059d20c92a47634.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\53392gx2394\bnfgsvjruhna.exe"C:\Users\Admin\53392gx2394\bnfgsvjruhna.exe" aojtuujbjkr2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4528 -ip 45281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\53392G~1\TSBICC~1.HVOFilesize
1.1MB
MD56f6dad92921dd28a40db79aad669f5ae
SHA18b77aa41642166e736a17d70621211b13596804d
SHA256527b739c95b7640171e8585cf64372febbc60e9477977582dc63661f939dba80
SHA5129dd8e9dd0d076094b7b4897c6fa1ebf0bef378187d07e0bd03a955d92e4bfde9bc7d5f73a236c006e2aa4a5674f779530bd0627f161aad63fbdd15d5866fd139
-
C:\Users\Admin\53392G~1\iwth.VFAFilesize
60B
MD55eaf31efa4f8055a1f92f3105e83243e
SHA1766d696f41d041a552909f79c1f6b357d9c84e15
SHA256a4f07855007136f9c981e86afd5413b4a3cb267c84939dd074cf43289bc79eda
SHA5120fa9517172e88a0df97765165ff298d885a2d26af977ca9cc48a53327f71ea40d7548b689b81d9c18e845fe5b9507b7ec060d2eaf3688fa422bcaa0fd72e11be
-
C:\Users\Admin\53392gx2394\aojtuujbjkrFilesize
219.0MB
MD582882c281b903e065e155c9b179d214c
SHA1d8a452c48c995907ab0c1742cf166a06de31c6a6
SHA256e33067c503f6f1d6c683774cd5957854c418156cb6014167111a62cd8f703480
SHA51203d12b48b0a15f195df94d294c2b1fcb9d0001b764c1025b6e7433528ca31b447ccbd51a82fe12461c1213e33cfaf3e9ddfd6e140a0b56e3dc1dab1210b505e9
-
C:\Users\Admin\53392gx2394\bnfgsvjruhna.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\53392gx2394\bnfgsvjruhna.exeFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
memory/4528-138-0x0000000000000000-mapping.dmp
-
memory/4768-132-0x0000000000000000-mapping.dmp