c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a

General

Target

c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe
Size

328KB
MD5

209a3885efd60b7378a686ff096cd461
SHA1

f45779bb60eac9e67cdb093de100d281083c6c9a
SHA256

c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a
SHA512

c997d0e3584134ed329f86662b0fa3027d039147c5047d987325ffa7dfade5ec947004a23f2f26641e7066746106705afd480238357894a5c2765f725d30dbe3
SSDEEP

6144:HovyUVNL+2pBOEgR2pPhTGwW3VeYO78XfxswO58RiD0DQNf:KvlcEgSi3V1OY5sz5KiDl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4600	1.exe
4276	BBVjmX.com

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022df6-142.dat	upx
behavioral2/files/0x000a000000022df6-143.dat	upx
behavioral2/memory/4600-144-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4600-147-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0009000000022dfe-150.dat	upx
behavioral2/files/0x0009000000022dfe-151.dat	upx
behavioral2/memory/4276-154-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4600-155-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4360	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PqSUZo = "\"C:\\Users\\Admin\\AppData\\Roaming\\BBVjmX.com\""	1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	BBVjmX.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rFPz3pF = "\"C:\\Users\\Admin\\AppData\\Roaming\\BBVjmX.com\""	BBVjmX.com
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	BBVjmX.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3wjsf = "\"C:\\Users\\Admin\\AppData\\Roaming\\BBVjmX.com\""	BBVjmX.com
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Qxj0Y = "\"C:\\Users\\Admin\\AppData\\Roaming\\BBVjmX.com\""	1.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\win.com	1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 4360	2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	83

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4600	1.exe
4600	1.exe
4600	1.exe
4600	1.exe
4600	1.exe
4600	1.exe
4600	1.exe
4600	1.exe
4600	1.exe
4600	1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe
4360	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe
4600	1.exe
4276	BBVjmX.com

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4360	2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	83
PID 2484 wrote to memory of 4360	2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	83
PID 2484 wrote to memory of 4360	2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	83
PID 2484 wrote to memory of 4360	2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	83
PID 2484 wrote to memory of 4360	2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	83
PID 2484 wrote to memory of 4360	2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	83
PID 2484 wrote to memory of 4360	2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	83
PID 2484 wrote to memory of 4360	2484	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	83
PID 4360 wrote to memory of 1936	4360	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	85
PID 4360 wrote to memory of 1936	4360	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	85
PID 4360 wrote to memory of 4600	4360	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	88
PID 4360 wrote to memory of 4600	4360	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	88
PID 4360 wrote to memory of 4600	4360	c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe	88
PID 4600 wrote to memory of 4276	4600	1.exe	90
PID 4600 wrote to memory of 4276	4600	1.exe	90
PID 4600 wrote to memory of 4276	4600	1.exe	90

C:\Users\Admin\AppData\Local\Temp\c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe
"C:\Users\Admin\AppData\Local\Temp\c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe
  "C:\Users\Admin\AppData\Local\Temp/c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\c152113c6d039981b0fb6b7931a90d9fa84ad297b54b2e555f20fbda797d561a.exe"
    3⤵
    PID:1936
- - C:\Users\Admin\AppData\Roaming\1.exe
    C:\Users\Admin\AppData\Roaming\1.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Users\Admin\AppData\Roaming\BBVjmX.com
      C:\Users\Admin\AppData\Roaming\BBVjmX.com
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.exe

Filesize
150KB

MD5
381da92958c5399ecd7fe5506366260f

SHA1
8e9d72b1a47d279f0f5d2f519106b35635d171fd

SHA256
5dc75ca4ab449fe2fd2d1960f1bddea397715567b9c3cf0639bd238ee6ee8e54

SHA512
3a2876aaf8c5a76501400054d5ac88d39917164c6ae43dd2435f0da67fb20f2d05c0bc5e7ae3f9b799a660eae6d9c5fe3652bcc7a44cb122a656c764e77ba7a0

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
150KB

MD5
381da92958c5399ecd7fe5506366260f

SHA1
8e9d72b1a47d279f0f5d2f519106b35635d171fd

SHA256
5dc75ca4ab449fe2fd2d1960f1bddea397715567b9c3cf0639bd238ee6ee8e54

SHA512
3a2876aaf8c5a76501400054d5ac88d39917164c6ae43dd2435f0da67fb20f2d05c0bc5e7ae3f9b799a660eae6d9c5fe3652bcc7a44cb122a656c764e77ba7a0

Download Submit
C:\Users\Admin\AppData\Roaming\BBVjmX.com

Filesize
150KB

MD5
381da92958c5399ecd7fe5506366260f

SHA1
8e9d72b1a47d279f0f5d2f519106b35635d171fd

SHA256
5dc75ca4ab449fe2fd2d1960f1bddea397715567b9c3cf0639bd238ee6ee8e54

SHA512
3a2876aaf8c5a76501400054d5ac88d39917164c6ae43dd2435f0da67fb20f2d05c0bc5e7ae3f9b799a660eae6d9c5fe3652bcc7a44cb122a656c764e77ba7a0

Download Submit
C:\Users\Admin\AppData\Roaming\BBVjmX.com

Filesize
150KB

MD5
381da92958c5399ecd7fe5506366260f

SHA1
8e9d72b1a47d279f0f5d2f519106b35635d171fd

SHA256
5dc75ca4ab449fe2fd2d1960f1bddea397715567b9c3cf0639bd238ee6ee8e54

SHA512
3a2876aaf8c5a76501400054d5ac88d39917164c6ae43dd2435f0da67fb20f2d05c0bc5e7ae3f9b799a660eae6d9c5fe3652bcc7a44cb122a656c764e77ba7a0

Download Submit
C:\Users\Admin\AppData\Roaming\kernel33.dll

Filesize
625KB

MD5
358611b92e360a749054fdc7b6b076ea

SHA1
d6d2224161fee024ab3767a81ed57f7e57d0c1ce

SHA256
79782a87dfd093a0e4196d6f0aa4d46a55c0290f6145f5f8fa60e53c540f89b4

SHA512
0986c84ed52b42b3aeb96479032e188165d1fa1d5c7018e240b444e03eb6317365ea51fc0233263f7e97f099cd3ca3094ab0b177c0405816bc800b41f42523ad

Download Submit
memory/4276-154-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4360-135-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4360-148-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4360-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4600-144-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4600-147-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4600-155-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing