16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05

Analysis

max time kernel
135s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2023, 01:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Size

108KB
MD5

12e143117090ed25bf6bed9e0ccb1f0a
SHA1

af56d174a9957eefd1faca1e20edfd5b119a65a4
SHA256

16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05
SHA512

c751371a16f7da9e7798c000af7df63db0c78e03c489f64f7cf11a145a30150ef97013273afe7dfaf911f8eead57354abd0684c73695c7508ad22a4ada72989e
SSDEEP

3072:tDG3hSaI5xNyQ8zrTLcWUymHKLahEevuZBS83MR/P/A:t1nyPLGTKLahEev4S83U/3

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bohao Market 3 Starter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BohaoStarter.exe"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 43 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iDigits = "2"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iNegCurr = "2"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "??"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sDate = "-"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iCentury = "0"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\NumShape = "1"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iCountry = "86"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sMonThousandSep = ","	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sLanguage = "CHS"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sCountry = "People's Republic of China"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sCurrency = "?"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sThousand = ","	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sTimeFormat = "H:mm:ss"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iFirstDayOfWeek = "6"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sGrouping = "3;0"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iTLZero = "0"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iMonLZero = "1"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iNegNumber = "1"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iCalendarType = "1"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iCurrency = "0"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Locale = "00000804"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sDecimal = "."	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sShortDate = "yyyy-M-d"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iDayLZero = "1"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iFirstWeekOfYear = "0"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sPositiveSign	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iLZero = "0"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iDate = "2"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iTime = "1"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sLongDate = "yyyy'?'M'?'d'?'"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iTimePrefix = "1"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iChinaYear = "0"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iCalendar = "1"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sNegativeSign = "-"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iCurrDigits = "2"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sList = ","	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sTime = ":"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sNativeDigits = "0123456789"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sMonGrouping = "3;0"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\iMeasure = "0"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sLongDate16 = "dddd', 'MMMM' 'dd', 'yyyy"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\sMonDecimalSep = "."	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "??"	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4308	reg.exe
5044	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4624	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 3952	4624	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe	82
PID 4624 wrote to memory of 3952	4624	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe	82
PID 4624 wrote to memory of 3952	4624	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe	82
PID 3952 wrote to memory of 4308	3952	cmd.exe	84
PID 3952 wrote to memory of 4308	3952	cmd.exe	84
PID 3952 wrote to memory of 4308	3952	cmd.exe	84
PID 3952 wrote to memory of 5044	3952	cmd.exe	85
PID 3952 wrote to memory of 5044	3952	cmd.exe	85
PID 3952 wrote to memory of 5044	3952	cmd.exe	85
PID 3952 wrote to memory of 3888	3952	cmd.exe	86
PID 3952 wrote to memory of 3888	3952	cmd.exe	86
PID 3952 wrote to memory of 3888	3952	cmd.exe	86
PID 4624 wrote to memory of 4920	4624	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe	88
PID 4624 wrote to memory of 4920	4624	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe	88
PID 4624 wrote to memory of 4920	4624	16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe	88

C:\Users\Admin\AppData\Local\Temp\16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe
"C:\Users\Admin\AppData\Local\Temp\16459b8dca9faeffd7c9243acba88facbcb97d7e999f4cb151ada8726e461d05.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UpdateReg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\reg.exe
    REG Add HKLM\Software\BohaoSoft\Market3 /v Path /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\\" /f /reg:64
    3⤵
    - Modifies registry key
    PID:4308
- - C:\Windows\SysWOW64\reg.exe
    REG Add HKLM\Software\BohaoSoft\Market3 /v Version /t REG_SZ /d "3.30.1209" /f /reg:64
    3⤵
    - Modifies registry key
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    REG Add "HKLM\Software\ActiveXperts\Serial Port Component" /v LicenseKey /t REG_SZ /d "01EC7-5DB2E-86042" /f /reg:64
    3⤵
    PID:3888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\installService.bat" "
  2⤵
  PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UpdateReg.bat

Filesize
329B

MD5
0d854e0701a0b1dfb2fec856df972107

SHA1
605785335f2113ea39bbeb886242d94765a1f930

SHA256
c0e9f1dd1374447fad62b947ce9a051ab7f36323765828c9f2632c9e039553fd

SHA512
59987389f1458a69d3a42da95de379cf88137d1fc4b1080ce77b76076abf302bc80bd6bad11f2a146d4b8a189d95604e121c79cce91878edcb27124d46076337

Download Submit
C:\Users\Admin\AppData\Local\Temp\installService.bat

Filesize
204B

MD5
7773e38469d982e4f21b8925428abda6

SHA1
059c575f7bb9bd24b1a2ffd61f9a29c991b55adf

SHA256
9dac741740492de1472ae97c3fbee3bd13af86c76e1ad008f89d4d2e0645edbf

SHA512
afe6f325e674e15ea8d445eb12f7e9dbdad1e6d34986b0bd1b7350d933ad3ee6999fea023505295edb085899ec6007200b3129c4ce6d7e9f85444efbfcbc33e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads