98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863

Analysis

max time kernel
181s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863.exe
Size

334KB
MD5

c623e315c5907914859b122a55fc4f0f
SHA1

87fc59ac73d81034bfb4f713ab5a8fc7a0539268
SHA256

98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863
SHA512

4fde714d6039cd99cd076356d7eb6cd0ff40c4d0dd2c76f0a39d3a8a749e1e14295885a6d0a78927b2a2549f8f1ec51dc3ad40d0f733051b0aab44399f5bb60e
SSDEEP

6144:36YajbofxCvuLUhk7hju7ZH5BayvRNjD0RJR1FNGoLUu00/aczIajg0knagoBw:xWMhM95BXvjQRJxNG6+0CkjLgww

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2736	rinst.exe
1700	Uniq Bot v.1881.exe
2852	bpk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	rinst.exe

Loads dropped DLL 3 IoCs

pid	Process
2852	bpk.exe
1700	Uniq Bot v.1881.exe
2708	98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe"	bpk.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bpkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	bpk.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\bpk.exe	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2736	rinst.exe
2736	rinst.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2852	bpk.exe
2852	bpk.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1700	Uniq Bot v.1881.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe
2852	bpk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2736	2708	98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863.exe	83
PID 2708 wrote to memory of 2736	2708	98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863.exe	83
PID 2708 wrote to memory of 2736	2708	98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863.exe	83
PID 2736 wrote to memory of 1700	2736	rinst.exe	84
PID 2736 wrote to memory of 1700	2736	rinst.exe	84
PID 2736 wrote to memory of 1700	2736	rinst.exe	84
PID 2736 wrote to memory of 2852	2736	rinst.exe	85
PID 2736 wrote to memory of 2852	2736	rinst.exe	85
PID 2736 wrote to memory of 2852	2736	rinst.exe	85

C:\Users\Admin\AppData\Local\Temp\98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863.exe
"C:\Users\Admin\AppData\Local\Temp\98739ea92641fcd8e2852f475b8d6b196895c6965cb49dec67fb982587484863.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uniq Bot v.1881.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uniq Bot v.1881.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1700
- - C:\Windows\SysWOW64\bpk.exe
    C:\Windows\system32\bpk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uniq Bot v.1881.exe

Filesize
308KB

MD5
746d3967d7a224313daf87fdf195fb30

SHA1
968e8f95840427849e9172a50eb7324d60f2eb01

SHA256
aca4224dbcc2d79a8cb6bb83d8e10ab85bbba9ad661100ca55dc699c472a0191

SHA512
43950eb721c1d02247ef98cc2aea2f28b4bc179f35c9f6681da426c7caf1fc5226e1ad6949b6130100410390308e567d9ddfcf79694f651025d014aa7d4ed173

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uniq Bot v.1881.exe

Filesize
308KB

MD5
746d3967d7a224313daf87fdf195fb30

SHA1
968e8f95840427849e9172a50eb7324d60f2eb01

SHA256
aca4224dbcc2d79a8cb6bb83d8e10ab85bbba9ad661100ca55dc699c472a0191

SHA512
43950eb721c1d02247ef98cc2aea2f28b4bc179f35c9f6681da426c7caf1fc5226e1ad6949b6130100410390308e567d9ddfcf79694f651025d014aa7d4ed173

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe

Filesize
408KB

MD5
5ca652cf9dd0149c774948228f8aefd1

SHA1
86ba117b337495cbb2ab1821262d996af4d02de8

SHA256
14ffd7caaad32dc5817ecc47efd9044021804ff45d45e7f7b20f35278f453b5f

SHA512
e792843e268e215daa050dda0fdd3f7406bdb0ee632b864059cf92dcc068bdd90c4466e57707968d62d9405cbcf4064ad4f8540bdbff0edaa1e6f6960f0794b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll

Filesize
21KB

MD5
86fa5da207c167119faf823e9ba3ce70

SHA1
204b209426bd674e55ef31112c8f796abe5f8be5

SHA256
7f3496f6a694fe04f258552aa9e497139adf8f1104e49a7c6dd538e004a08311

SHA512
35e85719eb4f997a29120ce1c3d31c690f18b5edb165f71ca75c47517155ecf6e039551eb4efc4f8308804b227bedffb86e65ed4506728aed039895c92b7ad38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
c148f440aa001ca2ef1a7efbd6ab57fb

SHA1
b7b886b746f5c1d787474d8cec63d626aa0ad5f2

SHA256
7aa8628ffdda35cd714070d0bd9da874aa1873c52c1123a049d6ec78e83a1d9e

SHA512
863cf97b8bb1612eea4022fb099d792bf2eeae607095cf3732a05b3b583e96c11f874df410cf22fe304816ace10d61cbe44f1ccf9ac7dd88fb64121168767f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
7KB

MD5
adec109bbc4262e89b383753cde9e8ce

SHA1
6276f3140246afcaa3633737e220ece5a912936c

SHA256
dcfba0ddb9289304f29db16eaec5b940dc54bdef1a1aa0b44a85380fa87558c3

SHA512
51d1a9eb239eb9acf0cc2f5f079d19c3bc5d9ed3a3bb7cabe547e7987ca5ce47190b55ae441a9143d5b79898d995ee207f659dcefa47600c1a0eba2bc15d3619

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Windows\SysWOW64\bpk.exe

Filesize
408KB

MD5
a635bc1492e4c39ef47ed617d3dfe491

SHA1
353ae5d543aee4bd2084798308a82361336b34fb

SHA256
cd06f57e2e2956c634f851eb92666e9e24557fffbfcd098686e3d7fe03d8ffed

SHA512
e152eaaebc4a6a48d32ed2382e048f171d35200d1654cfb241f57612b655e921b8645e700f011d3638fda4bbc7f50e90ebdc24398664a9e553540b15a006b226

Download Submit
C:\Windows\SysWOW64\bpk.exe

Filesize
408KB

MD5
a635bc1492e4c39ef47ed617d3dfe491

SHA1
353ae5d543aee4bd2084798308a82361336b34fb

SHA256
cd06f57e2e2956c634f851eb92666e9e24557fffbfcd098686e3d7fe03d8ffed

SHA512
e152eaaebc4a6a48d32ed2382e048f171d35200d1654cfb241f57612b655e921b8645e700f011d3638fda4bbc7f50e90ebdc24398664a9e553540b15a006b226

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\bpkhk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\SysWOW64\inst.dat

Filesize
1KB

MD5
c148f440aa001ca2ef1a7efbd6ab57fb

SHA1
b7b886b746f5c1d787474d8cec63d626aa0ad5f2

SHA256
7aa8628ffdda35cd714070d0bd9da874aa1873c52c1123a049d6ec78e83a1d9e

SHA512
863cf97b8bb1612eea4022fb099d792bf2eeae607095cf3732a05b3b583e96c11f874df410cf22fe304816ace10d61cbe44f1ccf9ac7dd88fb64121168767f1d

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
7KB

MD5
4dfc5bee715edbb55e4700dd592472c1

SHA1
a095dff0a1442364f97b482bf7a7d0456de99bf8

SHA256
a978fa705d523a94091d3dff307e69b19fb1a5b8956838f7f9556fb4a5cfc1c5

SHA512
c0de7a3d6ad8bb298577e13494ca67d94feac815a887923be2cd60049a3956eb683c6222a28a86280921680ee9666db4d02919bf8df18baaf91fe4a232fbf0d3

Download Submit
C:\Windows\SysWOW64\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit