Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 11:28
Static task
static1
Behavioral task
behavioral1
Sample
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe
Resource
win7-20220812-en
General
-
Target
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe
-
Size
95KB
-
MD5
92abcb46ed44b6f5e4457839d63c048f
-
SHA1
d409f13652b6bd456a3b08ccc775392950aa3739
-
SHA256
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80
-
SHA512
cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6
-
SSDEEP
1536:u7dkoVi9I2VK/JmpMZGH7+NICr3DUDloBzq3GmT2BbahE7jwaaHw7Koj4rhfu+u1:mdkoV4I2VK/Jmp6Gb+eCDgb3GmT2Bb5B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\sbwjywsu\\bhovjaci.exe" svchost.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
smmqlcbrdnrlrykc.exepid process 1704 smmqlcbrdnrlrykc.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bhovjaci.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bhovjaci.exe svchost.exe -
Loads dropped DLL 4 IoCs
Processes:
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exepid process 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\BhoVjaci = "C:\\Users\\Admin\\AppData\\Local\\sbwjywsu\\bhovjaci.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
svchost.exepid process 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe 1712 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exesvchost.exesvchost.exesmmqlcbrdnrlrykc.exedescription pid process Token: SeSecurityPrivilege 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe Token: SeDebugPrivilege 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe Token: SeSecurityPrivilege 1604 svchost.exe Token: SeSecurityPrivilege 1712 svchost.exe Token: SeDebugPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeSecurityPrivilege 1704 smmqlcbrdnrlrykc.exe Token: SeLoadDriverPrivilege 1704 smmqlcbrdnrlrykc.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe Token: SeBackupPrivilege 1712 svchost.exe Token: SeRestorePrivilege 1712 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exedescription pid process target process PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1604 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1712 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe svchost.exe PID 1260 wrote to memory of 1704 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe smmqlcbrdnrlrykc.exe PID 1260 wrote to memory of 1704 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe smmqlcbrdnrlrykc.exe PID 1260 wrote to memory of 1704 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe smmqlcbrdnrlrykc.exe PID 1260 wrote to memory of 1704 1260 a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe smmqlcbrdnrlrykc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe"C:\Users\Admin\AppData\Local\Temp\a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exe"C:\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exeFilesize
95KB
MD592abcb46ed44b6f5e4457839d63c048f
SHA1d409f13652b6bd456a3b08ccc775392950aa3739
SHA256a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80
SHA512cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6
-
\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exeFilesize
95KB
MD592abcb46ed44b6f5e4457839d63c048f
SHA1d409f13652b6bd456a3b08ccc775392950aa3739
SHA256a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80
SHA512cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6
-
\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exeFilesize
95KB
MD592abcb46ed44b6f5e4457839d63c048f
SHA1d409f13652b6bd456a3b08ccc775392950aa3739
SHA256a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80
SHA512cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6
-
\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exeFilesize
95KB
MD592abcb46ed44b6f5e4457839d63c048f
SHA1d409f13652b6bd456a3b08ccc775392950aa3739
SHA256a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80
SHA512cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6
-
\Users\Admin\AppData\Local\Temp\smmqlcbrdnrlrykc.exeFilesize
95KB
MD592abcb46ed44b6f5e4457839d63c048f
SHA1d409f13652b6bd456a3b08ccc775392950aa3739
SHA256a78aa7e8cb918a202fbc37863674fea1008063e771cc440f2e466bd1cc418f80
SHA512cbfda6d0a54f59612a581929d33ff6deb2faba9e781227c933a255c1f067e7736f484346bc7ab9e1acc3ea2192a3731ab3e57ad6592810bb0d41b415a2306fa6
-
memory/1260-80-0x0000000000400000-0x000000000043A0EC-memory.dmpFilesize
232KB
-
memory/1260-59-0x0000000000400000-0x000000000043A0EC-memory.dmpFilesize
232KB
-
memory/1260-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1604-60-0x0000000020010000-0x000000002001C000-memory.dmpFilesize
48KB
-
memory/1604-58-0x0000000000000000-mapping.dmp
-
memory/1604-56-0x0000000020010000-0x000000002001C000-memory.dmpFilesize
48KB
-
memory/1704-78-0x0000000000000000-mapping.dmp
-
memory/1704-82-0x0000000000400000-0x000000000043A0EC-memory.dmpFilesize
232KB
-
memory/1712-70-0x0000000020010000-0x000000002002C000-memory.dmpFilesize
112KB
-
memory/1712-68-0x0000000000000000-mapping.dmp
-
memory/1712-66-0x0000000020010000-0x000000002002C000-memory.dmpFilesize
112KB