bf3dc5a3471fbcd89ab774f9c0c34ed7c22fb84a1626e2dc72925e8850e900c1

Analysis

max time kernel
187s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf3dc5a3471fbcd89ab774f9c0c34ed7c22fb84a1626e2dc72925e8850e900c1.exe
Size

614KB
MD5

7b8291e83a0b5444dea218110af08fe8
SHA1

26b85424cab98d63032035117db35702cc498e2b
SHA256

bf3dc5a3471fbcd89ab774f9c0c34ed7c22fb84a1626e2dc72925e8850e900c1
SHA512

9244d06420d8fa330121ec6f057391b523bfabcaa4810009096e02dc3ff5abcc685cf4fac43c5a67afa6c2dbb04ba48cca90fa276187dc8bf843cac126dc72d6
SSDEEP

12288:eV+mzfgBsZ/W/lzttV+yJOe5WiqBZaf08vRDOZIHGofGfkG0auFc:e88ccu/lBxXWiqBeOZYGouoFc

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4988	2.exe
5044	Shell32.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{460BC58B-A016-4b6b-8BE1-27C20C02E186}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{460BC58B-A016-4b6b-8BE1-27C20C02E186}\StubPath = "C:\\Windows\\SysWOW64\\WinNT.hta"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022e2d-137.dat	upx
behavioral2/files/0x0008000000022e2d-136.dat	upx
behavioral2/memory/4988-159-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bf3dc5a3471fbcd89ab774f9c0c34ed7c22fb84a1626e2dc72925e8850e900c1.exe

Loads dropped DLL 2 IoCs

pid	Process
5044	Shell32.exe
1824	svchost.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\krnln.fnr	2.exe
File opened for modification	C:\Windows\SysWOW64\dp1.fne	2.exe
File opened for modification	C:\Windows\SysWOW64\WinNT.hta	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SystemXp.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Shell32.exe	2.exe
File created	C:\Windows\SysWOW64\WinNT.hta	svchost.exe
File opened for modification	C:\Windows\SysWOW64\krnln.fnr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dp1.fne	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25360	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5044 set thread context of 1824	5044	Shell32.exe	81

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\12.txt	2.exe
File opened for modification	C:\Windows\Server.txt	2.exe
File opened for modification	C:\Windows\win.ini	svchost.exe
File opened for modification	C:\Windows\Server.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1824	svchost.exe
1824	svchost.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4988	2.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
5044	Shell32.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe
1824	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 4988	620	bf3dc5a3471fbcd89ab774f9c0c34ed7c22fb84a1626e2dc72925e8850e900c1.exe	79
PID 620 wrote to memory of 4988	620	bf3dc5a3471fbcd89ab774f9c0c34ed7c22fb84a1626e2dc72925e8850e900c1.exe	79
PID 620 wrote to memory of 4988	620	bf3dc5a3471fbcd89ab774f9c0c34ed7c22fb84a1626e2dc72925e8850e900c1.exe	79
PID 4988 wrote to memory of 5044	4988	2.exe	80
PID 4988 wrote to memory of 5044	4988	2.exe	80
PID 4988 wrote to memory of 5044	4988	2.exe	80
PID 5044 wrote to memory of 1824	5044	Shell32.exe	81
PID 5044 wrote to memory of 1824	5044	Shell32.exe	81
PID 5044 wrote to memory of 1824	5044	Shell32.exe	81
PID 5044 wrote to memory of 1824	5044	Shell32.exe	81
PID 5044 wrote to memory of 1824	5044	Shell32.exe	81
PID 5044 wrote to memory of 1824	5044	Shell32.exe	81
PID 5044 wrote to memory of 1824	5044	Shell32.exe	81
PID 5044 wrote to memory of 1824	5044	Shell32.exe	81
PID 5044 wrote to memory of 1824	5044	Shell32.exe	81

C:\Users\Admin\AppData\Local\Temp\bf3dc5a3471fbcd89ab774f9c0c34ed7c22fb84a1626e2dc72925e8850e900c1.exe
"C:\Users\Admin\AppData\Local\Temp\bf3dc5a3471fbcd89ab774f9c0c34ed7c22fb84a1626e2dc72925e8850e900c1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\Shell32.exe
    C:\Windows\system32\Shell32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Modifies Installed Components in the registry
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
514KB

MD5
8ad268881d46ae52d5725be691fe48a6

SHA1
2bf4f0f5d83b7ae2d6447c5d5668bf8d8c58f8af

SHA256
ab658ceef950f428a85f37fa9ba6abfa8cef891fae07493d07aa83ad6d4c26d9

SHA512
78d693e2260148cc4e3c5d64ccbbb7de2493bea16d09b82f753813b0524f9cd345825dd83ab8845f86193294150819dab90b5ecd7fcec046c50d7cf24b547f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
514KB

MD5
8ad268881d46ae52d5725be691fe48a6

SHA1
2bf4f0f5d83b7ae2d6447c5d5668bf8d8c58f8af

SHA256
ab658ceef950f428a85f37fa9ba6abfa8cef891fae07493d07aa83ad6d4c26d9

SHA512
78d693e2260148cc4e3c5d64ccbbb7de2493bea16d09b82f753813b0524f9cd345825dd83ab8845f86193294150819dab90b5ecd7fcec046c50d7cf24b547f08

Download Submit
C:\Windows\12.txt

Filesize
39B

MD5
08fcbaa2379dfc56f8ae52c56c4dbac2

SHA1
cacce773e108b111b62072956bbde1dfab6adbb9

SHA256
5415128601df17ddb99a83831a49024446e92305cb3efb9db03ab6a8064063a1

SHA512
97165bffb9e333055edcc3c4902e00b2b15834776dea5bd5095587f4ec6e39c96cfc7ae743c45433569a6464d88346108b82a044c41f458ebab28e95ebde2392

Download Submit
C:\Windows\Server.txt

Filesize
24B

MD5
1d6b1b31ec3ba5bc8dfc493a9d5a4e6a

SHA1
5a55967fdc9a7aaaf657406aeb0b56a38278b0c2

SHA256
020fcb4f182e20a7d328c7d402c11f42c6e7e1cb6de249caa1bc159e76b0564b

SHA512
960c2c43bf2887fba09427de3c4722eaba2850ed84ea8caa69e575162f3faaaa1b3f0500d903f22c9a168228bdb97c732bd3c0a2ac579cb0a242c34e6a180ba5

Download Submit
C:\Windows\SysWOW64\Shell32.exe

Filesize
143KB

MD5
9539d4d29ca5c667901d12f2e2d28e14

SHA1
3edd80bdfd3a74372b014be1a8bc254436523a74

SHA256
7422f4d068b90f5974f571a0562befbf2355e55be84479890b017db0acc94313

SHA512
2b69dacdc7614ca01c6f9bfd5e4be0d32d0b718b8ccdab2306cbe148a655ab004cddf3be7c6822e2586b95a42869585339a7eb8fad613659311ab6d323375715

Download Submit
C:\Windows\SysWOW64\Shell32.exe

Filesize
143KB

MD5
9539d4d29ca5c667901d12f2e2d28e14

SHA1
3edd80bdfd3a74372b014be1a8bc254436523a74

SHA256
7422f4d068b90f5974f571a0562befbf2355e55be84479890b017db0acc94313

SHA512
2b69dacdc7614ca01c6f9bfd5e4be0d32d0b718b8ccdab2306cbe148a655ab004cddf3be7c6822e2586b95a42869585339a7eb8fad613659311ab6d323375715

Download Submit
C:\Windows\SysWOW64\dp1.fne

Filesize
50KB

MD5
8703a35775a6f8e6580e9d071e7809b3

SHA1
7396abbd4028250ed9319b3f96e871bb9fb6b7cd

SHA256
c5b4b57cb002f59ccbdf795d9792c9e3aa65465b600d8e74e970bab2bdc2d3bc

SHA512
f2db8b5243829a1f715e131e22f74ce2794f27fd102f7a84b4b19489aa6e10f0afb5a4d5f52b999cb67f9e87a34499684f0b8f5dc7435ab5fef2c6122736e875

Download Submit
C:\Windows\SysWOW64\krnln.fnr

Filesize
372KB

MD5
0396ad47c62ea17fce456679a1502e97

SHA1
c1cd927cd0c0efa5442650c8020d216a4f80f7ac

SHA256
08c56c3158da89ad16fe0d4835a968b2352c5629ba80efb460fcff484109d92c

SHA512
5f2f9ce9f7efabd263512e050aa257055de9f2c15cc2b87e14c15733959d44922e98b84101000838e91a745fe1aa16bd73696f973ec4789bb9d0949efff38cfb

Download Submit
C:\Windows\SysWOW64\krnln.fnr

Filesize
372KB

MD5
0396ad47c62ea17fce456679a1502e97

SHA1
c1cd927cd0c0efa5442650c8020d216a4f80f7ac

SHA256
08c56c3158da89ad16fe0d4835a968b2352c5629ba80efb460fcff484109d92c

SHA512
5f2f9ce9f7efabd263512e050aa257055de9f2c15cc2b87e14c15733959d44922e98b84101000838e91a745fe1aa16bd73696f973ec4789bb9d0949efff38cfb

Download Submit
C:\Windows\SysWOW64\krnln.fnr

Filesize
372KB

MD5
0396ad47c62ea17fce456679a1502e97

SHA1
c1cd927cd0c0efa5442650c8020d216a4f80f7ac

SHA256
08c56c3158da89ad16fe0d4835a968b2352c5629ba80efb460fcff484109d92c

SHA512
5f2f9ce9f7efabd263512e050aa257055de9f2c15cc2b87e14c15733959d44922e98b84101000838e91a745fe1aa16bd73696f973ec4789bb9d0949efff38cfb

Download Submit
memory/1824-151-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1824-158-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/1824-149-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1824-150-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1824-162-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/1824-153-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1824-156-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/1824-161-0x0000000000403000-0x0000000000425000-memory.dmp

Filesize
136KB

Download
memory/1824-148-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1824-160-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/4988-159-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/5044-157-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/5044-155-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5044-145-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download
memory/5044-146-0x0000000010000000-0x000000001017E000-memory.dmp

Filesize
1.5MB

Download