6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8

Analysis

max time kernel
121s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08/10/2023, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Size

108KB
MD5

af9f0235192180cf4483dff09a8c282d
SHA1

bc5d74f26702a7a707f80f232502a181595b34d1
SHA256

6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8
SHA512

f3b5666e964d4120c950c37efd192517738703e1c3a05aaeb62c5c9b04cab67e60163d539c8b3ca0fa880e5278cf7ea6fac59c3216d593c1c536446feaf9a6ff
SSDEEP

3072:MscXcqJBj7zrjbYze9jG9zdidWymoskh+gQ:q/Jt7LDo9zdidWzosk

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bohao Market 3 Starter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BohaoStarter.exe"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 43 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iCurrDigits = "2"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\s1159 = "??"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iCentury = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sNativeDigits = "0123456789"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iFirstWeekOfYear = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iDigits = "2"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sLanguage = "CHS"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iMonLZero = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sTimeFormat = "H:mm:ss"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iCurrency = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sCurrency = "?"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sShortDate = "yyyy-M-d"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sLongDate16 = "dddd', 'MMMM' 'dd', 'yyyy"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sMonDecimalSep = "."	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sMonGrouping = "3;0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iNegCurr = "2"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sTime = ":"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iTimePrefix = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iNegNumber = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sGrouping = "3;0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iCountry = "86"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\s2359 = "??"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sCountry = "People's Republic of China"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sList = ","	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sLongDate = "yyyy'?'M'?'d'?'"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\NumShape = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sNegativeSign = "-"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iTLZero = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sDate = "-"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sDecimal = "."	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sMonThousandSep = ","	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iFirstDayOfWeek = "6"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sPositiveSign	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iCalendarType = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iDate = "2"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iLZero = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iTime = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\Locale = "00000804"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iDayLZero = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iCalendar = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iMeasure = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\sThousand = ","	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\iChinaYear = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2524	reg.exe
2544	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1716	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2960	1716	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	30
PID 1716 wrote to memory of 2960	1716	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	30
PID 1716 wrote to memory of 2960	1716	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	30
PID 1716 wrote to memory of 2960	1716	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	30
PID 1716 wrote to memory of 2960	1716	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	30
PID 1716 wrote to memory of 2960	1716	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	30
PID 1716 wrote to memory of 2960	1716	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	30
PID 2960 wrote to memory of 2524	2960	cmd.exe	32
PID 2960 wrote to memory of 2524	2960	cmd.exe	32
PID 2960 wrote to memory of 2524	2960	cmd.exe	32
PID 2960 wrote to memory of 2524	2960	cmd.exe	32
PID 2960 wrote to memory of 2544	2960	cmd.exe	33
PID 2960 wrote to memory of 2544	2960	cmd.exe	33
PID 2960 wrote to memory of 2544	2960	cmd.exe	33
PID 2960 wrote to memory of 2544	2960	cmd.exe	33
PID 2960 wrote to memory of 2740	2960	cmd.exe	34
PID 2960 wrote to memory of 2740	2960	cmd.exe	34
PID 2960 wrote to memory of 2740	2960	cmd.exe	34
PID 2960 wrote to memory of 2740	2960	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
"C:\Users\Admin\AppData\Local\Temp\6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe"
1⤵
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\UpdateReg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\reg.exe
    REG Add HKLM\Software\BohaoSoft\Market2 /v Path /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\\" /f /reg:64
    3⤵
    - Modifies registry key
    PID:2524
- - C:\Windows\SysWOW64\reg.exe
    REG Add HKLM\Software\BohaoSoft\Market2 /v Version /t REG_SZ /d "2.98.1212" /f /reg:64
    3⤵
    - Modifies registry key
    PID:2544
- - C:\Windows\SysWOW64\reg.exe
    REG Add "HKLM\Software\ActiveXperts\Serial Port Component" /v LicenseKey /t REG_SZ /d "01EC7-5DB2E-86042" /f /reg:64
    3⤵
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UpdateReg.bat

Filesize
329B

MD5
43de8352f4873246b3feeff9171096d1

SHA1
d04e380fe82d9f54c616ba2773fdb5666915a101

SHA256
b9e5435fd27b228a82359bf946d7cdd65ccea06e4e23c07271e51129672196e7

SHA512
30e331b6b8f351ebf42b0cebdd848d132c0abddc5b07fb26cd71371ab71a6e559c36c72a14262153601944795e4331506b9f717db9962b14391b37ca4f9bb46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UpdateReg.bat

Filesize
329B

MD5
43de8352f4873246b3feeff9171096d1

SHA1
d04e380fe82d9f54c616ba2773fdb5666915a101

SHA256
b9e5435fd27b228a82359bf946d7cdd65ccea06e4e23c07271e51129672196e7

SHA512
30e331b6b8f351ebf42b0cebdd848d132c0abddc5b07fb26cd71371ab71a6e559c36c72a14262153601944795e4331506b9f717db9962b14391b37ca4f9bb46c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads