3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48

Analysis

max time kernel
5s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6919d85bb10aad2b3078283f8b9108f0.exe
Size

347KB
MD5

6919d85bb10aad2b3078283f8b9108f0
SHA1

3a11e7ff6bf51467f197dec068b6abeb2570eb68
SHA256

3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48
SHA512

8dedcd2a3a684fd5e1078d6b1404479267a0b5fa5a851c5a3de65a02ccdbeef2aa2587fc69172791e125a15be4c8383a622f50abc50a45488ef1aa0ef9bcbead
SSDEEP

3072:HEhKzShSycb2OYLwt1LX9kC+Nl6FJT/AaUkMqpN08UKgCj6KJ4w6QonNIZ3cyV/L:HBnAU1X9Tel6FV4aURqpq1CjA/NY3fL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1800	bfctcfvlam.exe
752	bfctcfvlam.exe

Loads dropped DLL 5 IoCs

pid	Process
1532	6919d85bb10aad2b3078283f8b9108f0.exe
1800	bfctcfvlam.exe
1116	WerFault.exe
1116	WerFault.exe
1116	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\byopasxjub = "C:\\Users\\Admin\\AppData\\Roaming\\gxnomttw\\clfngtotjcn.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfctcfvlam.exe\" C:\\Users\\Admin\\AppData\\"	bfctcfvlam.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 752	1800	bfctcfvlam.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1116	752	WerFault.exe	29

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1800	bfctcfvlam.exe
1800	bfctcfvlam.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1800	1532	6919d85bb10aad2b3078283f8b9108f0.exe	28
PID 1532 wrote to memory of 1800	1532	6919d85bb10aad2b3078283f8b9108f0.exe	28
PID 1532 wrote to memory of 1800	1532	6919d85bb10aad2b3078283f8b9108f0.exe	28
PID 1532 wrote to memory of 1800	1532	6919d85bb10aad2b3078283f8b9108f0.exe	28
PID 1800 wrote to memory of 752	1800	bfctcfvlam.exe	29
PID 1800 wrote to memory of 752	1800	bfctcfvlam.exe	29
PID 1800 wrote to memory of 752	1800	bfctcfvlam.exe	29
PID 1800 wrote to memory of 752	1800	bfctcfvlam.exe	29
PID 1800 wrote to memory of 752	1800	bfctcfvlam.exe	29
PID 752 wrote to memory of 1116	752	bfctcfvlam.exe	30
PID 752 wrote to memory of 1116	752	bfctcfvlam.exe	30
PID 752 wrote to memory of 1116	752	bfctcfvlam.exe	30
PID 752 wrote to memory of 1116	752	bfctcfvlam.exe	30

C:\Users\Admin\AppData\Local\Temp\6919d85bb10aad2b3078283f8b9108f0.exe
"C:\Users\Admin\AppData\Local\Temp\6919d85bb10aad2b3078283f8b9108f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe
  "C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe" C:\Users\Admin\AppData\Local\Temp\vezrmelyb.d
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe
    "C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 184
      4⤵
      Loads dropped DLL
      Program crash
      PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe

Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe

Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe

Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ickztvancv.lez

Filesize
98KB

MD5
16bad3cabe4186c24eaaf1100f795150

SHA1
a140ecb2c690ffc44077c2017d819657e75f6818

SHA256
86860100715a1aea106bb16d7e855b4652eba52b6f28ebe57e3a929f8e2f5d9a

SHA512
1fb27338d4f47dfde7e0752fad4d24e6fe60d8fb56c35f8be55c94a786872f817330b36385f0c98c9b46572d57c423bd22cfd2d7a530fcef568e1a2df838f04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vezrmelyb.d

Filesize
7KB

MD5
5a9896aeebe978e68d2acbec19c4075b

SHA1
3edd7aa395c7874f96ff9ceabf67e8d170c55041

SHA256
c135d60595d1c7d25cb9f4eb899aec4d05ce7f1c149b16b2def80346b69324df

SHA512
c847991d0c83a254ebae5a48947ed44f173c86f133945a7b9a669f965cab0c3c3243246d6a19bf4d26e8e8da3b89d422bdc34c74eea9ba627383b1d0010b7e73

Download Submit
\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe

Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe

Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe

Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe

Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe

Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
memory/1532-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download