8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca

Analysis

max time kernel
152s
max time network
196s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 12:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe
Size

133KB
MD5

fbf5cb4b73ce813eb85a6ab501a84f6c
SHA1

1a9983754716d96e827377ccac96f5ec7e16f42f
SHA256

8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca
SHA512

ed825c4ddf0509a1fdaed7c2a2a23878ac95f26c3cf1a1295e782b51812bffcc054ceef084b0637bb090737e50e359c42ebd9c60cfc9958d13fc59232052eb9f
SSDEEP

1536:609kselPdFsYl5GDe3GeuKEZzwd1joWRv02rd9cqCmh6DY5atOXPQ6DYu8O/7f:60L65GaSu5oWRv0SJVPDkO/D

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1392	dhftvx.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 7 IoCs

pid	Process
2008	Rundll32.exe
2008	Rundll32.exe
2008	Rundll32.exe
2008	Rundll32.exe
2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe
2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe
1392	dhftvx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	dhftvx.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\boserx.dll	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe
File created	C:\Windows\SysWOW64\dhftvx.exe	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AAV\CDriver.sys	Rundll32.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1516	sc.exe
2016	sc.exe
316	sc.exe
1320	sc.exe
524	sc.exe
568	sc.exe
628	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2008	Rundll32.exe
2008	Rundll32.exe
2008	Rundll32.exe
2008	Rundll32.exe
2008	Rundll32.exe
2008	Rundll32.exe
2008	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2008	2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe	28
PID 2036 wrote to memory of 2008	2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe	28
PID 2036 wrote to memory of 2008	2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe	28
PID 2036 wrote to memory of 2008	2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe	28
PID 2036 wrote to memory of 2008	2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe	28
PID 2036 wrote to memory of 2008	2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe	28
PID 2036 wrote to memory of 2008	2036	8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe	28
PID 2008 wrote to memory of 900	2008	Rundll32.exe	29
PID 2008 wrote to memory of 900	2008	Rundll32.exe	29
PID 2008 wrote to memory of 900	2008	Rundll32.exe	29
PID 2008 wrote to memory of 900	2008	Rundll32.exe	29
PID 2008 wrote to memory of 1788	2008	Rundll32.exe	30
PID 2008 wrote to memory of 1788	2008	Rundll32.exe	30
PID 2008 wrote to memory of 1788	2008	Rundll32.exe	30
PID 2008 wrote to memory of 1788	2008	Rundll32.exe	30
PID 2008 wrote to memory of 524	2008	Rundll32.exe	33
PID 2008 wrote to memory of 524	2008	Rundll32.exe	33
PID 2008 wrote to memory of 524	2008	Rundll32.exe	33
PID 2008 wrote to memory of 524	2008	Rundll32.exe	33
PID 2008 wrote to memory of 568	2008	Rundll32.exe	34
PID 2008 wrote to memory of 568	2008	Rundll32.exe	34
PID 2008 wrote to memory of 568	2008	Rundll32.exe	34
PID 2008 wrote to memory of 568	2008	Rundll32.exe	34
PID 1788 wrote to memory of 1944	1788	net.exe	38
PID 1788 wrote to memory of 1944	1788	net.exe	38
PID 1788 wrote to memory of 1944	1788	net.exe	38
PID 1788 wrote to memory of 1944	1788	net.exe	38
PID 900 wrote to memory of 1424	900	net.exe	37
PID 900 wrote to memory of 1424	900	net.exe	37
PID 900 wrote to memory of 1424	900	net.exe	37
PID 900 wrote to memory of 1424	900	net.exe	37
PID 2008 wrote to memory of 628	2008	Rundll32.exe	39
PID 2008 wrote to memory of 628	2008	Rundll32.exe	39
PID 2008 wrote to memory of 628	2008	Rundll32.exe	39
PID 2008 wrote to memory of 628	2008	Rundll32.exe	39
PID 2008 wrote to memory of 1516	2008	Rundll32.exe	40
PID 2008 wrote to memory of 1516	2008	Rundll32.exe	40
PID 2008 wrote to memory of 1516	2008	Rundll32.exe	40
PID 2008 wrote to memory of 1516	2008	Rundll32.exe	40
PID 2008 wrote to memory of 2016	2008	Rundll32.exe	41
PID 2008 wrote to memory of 2016	2008	Rundll32.exe	41
PID 2008 wrote to memory of 2016	2008	Rundll32.exe	41
PID 2008 wrote to memory of 2016	2008	Rundll32.exe	41
PID 2008 wrote to memory of 316	2008	Rundll32.exe	43
PID 2008 wrote to memory of 316	2008	Rundll32.exe	43
PID 2008 wrote to memory of 316	2008	Rundll32.exe	43
PID 2008 wrote to memory of 316	2008	Rundll32.exe	43
PID 2008 wrote to memory of 2036	2008	Rundll32.exe	27
PID 2008 wrote to memory of 2036	2008	Rundll32.exe	27
PID 2008 wrote to memory of 900	2008	Rundll32.exe	29
PID 2008 wrote to memory of 900	2008	Rundll32.exe	29
PID 2008 wrote to memory of 1788	2008	Rundll32.exe	30
PID 2008 wrote to memory of 1788	2008	Rundll32.exe	30
PID 2008 wrote to memory of 524	2008	Rundll32.exe	33
PID 2008 wrote to memory of 524	2008	Rundll32.exe	33
PID 2008 wrote to memory of 568	2008	Rundll32.exe	34
PID 2008 wrote to memory of 568	2008	Rundll32.exe	34
PID 2008 wrote to memory of 1944	2008	Rundll32.exe	38
PID 2008 wrote to memory of 1944	2008	Rundll32.exe	38
PID 2008 wrote to memory of 1424	2008	Rundll32.exe	37
PID 2008 wrote to memory of 1424	2008	Rundll32.exe	37
PID 2008 wrote to memory of 628	2008	Rundll32.exe	39
PID 2008 wrote to memory of 628	2008	Rundll32.exe	39
PID 2008 wrote to memory of 1516	2008	Rundll32.exe	40

C:\Users\Admin\AppData\Local\Temp\8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe
"C:\Users\Admin\AppData\Local\Temp\8f2b449f573a92140a2c47097b7a3d74b75f7101daf36c538ed2ae2e766451ca.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\boserx.dll Exbcute
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:1424
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:1944
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:524
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:568
- - C:\Windows\SysWOW64\sc.exe
    sc stop ZhuDongFangYu
    3⤵
    - Launches sc.exe
    PID:628
- - C:\Windows\SysWOW64\sc.exe
    sc delete ZhuDongFangYu
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\SysWOW64\sc.exe
    sc stop 360rp
    3⤵
    - Launches sc.exe
    PID:2016
- - C:\Windows\SysWOW64\sc.exe
    sc delete 360rp
    3⤵
    - Launches sc.exe
    PID:316
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop PolicyAgent
    3⤵
    - Launches sc.exe
    PID:1320
- C:\Windows\SysWOW64\dhftvx.exe
  C:\Windows\system32\dhftvx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\boserx.dll

Filesize
75KB

MD5
880f130092d44064030eda33bf693a1b

SHA1
f5a1db60845502afb099721236d4f34f323472d8

SHA256
9f088fef88a8b49d5f8d264b05c9440536fbcfdbd0f9cdaf29137f226bb2e9c6

SHA512
d35d510d2e99602e23a0f6e7246dfd578a3b01773499fd8c4386c1d23e7d7fbf0fb4e2494d67ba5ef31950c90227b06b953d09e3ad5f5c9f50ce6042f24b2c74

Download Submit
C:\Windows\SysWOW64\dhftvx.exe

Filesize
15KB

MD5
ecaa6afefb9034c3184397845755c620

SHA1
8e9e502ad06ac13f25f0370fecb591bcdb88dd5d

SHA256
12908176561536320ce309870bc15206dbadd84c602164e6b76bb75f4748f1c3

SHA512
0d16413c2db64678453f0b83ce7e8ada58f4b629575afc19c820b8e237fbe2b35abea852c3f56b1158f30fa718b92c12b9078f9e43abba3bb673b8b013a117ed

Download Submit
\Users\Admin\AppData\Local\Temp\6EDA.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Windows\SysWOW64\boserx.dll

Filesize
75KB

MD5
880f130092d44064030eda33bf693a1b

SHA1
f5a1db60845502afb099721236d4f34f323472d8

SHA256
9f088fef88a8b49d5f8d264b05c9440536fbcfdbd0f9cdaf29137f226bb2e9c6

SHA512
d35d510d2e99602e23a0f6e7246dfd578a3b01773499fd8c4386c1d23e7d7fbf0fb4e2494d67ba5ef31950c90227b06b953d09e3ad5f5c9f50ce6042f24b2c74

Download Submit
\Windows\SysWOW64\boserx.dll

Filesize
75KB

MD5
880f130092d44064030eda33bf693a1b

SHA1
f5a1db60845502afb099721236d4f34f323472d8

SHA256
9f088fef88a8b49d5f8d264b05c9440536fbcfdbd0f9cdaf29137f226bb2e9c6

SHA512
d35d510d2e99602e23a0f6e7246dfd578a3b01773499fd8c4386c1d23e7d7fbf0fb4e2494d67ba5ef31950c90227b06b953d09e3ad5f5c9f50ce6042f24b2c74

Download Submit
\Windows\SysWOW64\boserx.dll

Filesize
75KB

MD5
880f130092d44064030eda33bf693a1b

SHA1
f5a1db60845502afb099721236d4f34f323472d8

SHA256
9f088fef88a8b49d5f8d264b05c9440536fbcfdbd0f9cdaf29137f226bb2e9c6

SHA512
d35d510d2e99602e23a0f6e7246dfd578a3b01773499fd8c4386c1d23e7d7fbf0fb4e2494d67ba5ef31950c90227b06b953d09e3ad5f5c9f50ce6042f24b2c74

Download Submit
\Windows\SysWOW64\boserx.dll

Filesize
75KB

MD5
880f130092d44064030eda33bf693a1b

SHA1
f5a1db60845502afb099721236d4f34f323472d8

SHA256
9f088fef88a8b49d5f8d264b05c9440536fbcfdbd0f9cdaf29137f226bb2e9c6

SHA512
d35d510d2e99602e23a0f6e7246dfd578a3b01773499fd8c4386c1d23e7d7fbf0fb4e2494d67ba5ef31950c90227b06b953d09e3ad5f5c9f50ce6042f24b2c74

Download Submit
\Windows\SysWOW64\dhftvx.exe

Filesize
15KB

MD5
ecaa6afefb9034c3184397845755c620

SHA1
8e9e502ad06ac13f25f0370fecb591bcdb88dd5d

SHA256
12908176561536320ce309870bc15206dbadd84c602164e6b76bb75f4748f1c3

SHA512
0d16413c2db64678453f0b83ce7e8ada58f4b629575afc19c820b8e237fbe2b35abea852c3f56b1158f30fa718b92c12b9078f9e43abba3bb673b8b013a117ed

Download Submit
\Windows\SysWOW64\dhftvx.exe

Filesize
15KB

MD5
ecaa6afefb9034c3184397845755c620

SHA1
8e9e502ad06ac13f25f0370fecb591bcdb88dd5d

SHA256
12908176561536320ce309870bc15206dbadd84c602164e6b76bb75f4748f1c3

SHA512
0d16413c2db64678453f0b83ce7e8ada58f4b629575afc19c820b8e237fbe2b35abea852c3f56b1158f30fa718b92c12b9078f9e43abba3bb673b8b013a117ed

Download Submit
memory/2008-55-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download