6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8

Analysis

max time kernel
185s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Size

108KB
MD5

af9f0235192180cf4483dff09a8c282d
SHA1

bc5d74f26702a7a707f80f232502a181595b34d1
SHA256

6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8
SHA512

f3b5666e964d4120c950c37efd192517738703e1c3a05aaeb62c5c9b04cab67e60163d539c8b3ca0fa880e5278cf7ea6fac59c3216d593c1c536446feaf9a6ff
SSDEEP

3072:MscXcqJBj7zrjbYze9jG9zdidWymoskh+gQ:q/Jt7LDo9zdidWzosk

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bohao Market 3 Starter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BohaoStarter.exe"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 43 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sLongDate16 = "dddd', 'MMMM' 'dd', 'yyyy"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iCurrency = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iTime = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\s2359 = "??"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sCurrency = "?"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sTimeFormat = "H:mm:ss"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iCountry = "86"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iDigits = "2"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iTLZero = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sDate = "-"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\s1159 = "??"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iFirstDayOfWeek = "6"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iFirstWeekOfYear = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sNegativeSign = "-"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iDate = "2"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sLanguage = "CHS"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sShortDate = "yyyy-M-d"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iCalendar = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iCalendarType = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iMeasure = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sLongDate = "yyyy'?'M'?'d'?'"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iTimePrefix = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sMonDecimalSep = "."	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iCurrDigits = "2"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sMonThousandSep = ","	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sMonGrouping = "3;0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iChinaYear = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iNegNumber = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sNativeDigits = "0123456789"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sGrouping = "3;0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iLZero = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iNegCurr = "2"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sCountry = "People's Republic of China"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sList = ","	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sPositiveSign	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iCentury = "0"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iDayLZero = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\iMonLZero = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\NumShape = "1"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Locale = "00000804"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sDecimal = "."	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sThousand = ","	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\sTime = ":"	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4704	reg.exe
3728	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
460	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 1440	460	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	88
PID 460 wrote to memory of 1440	460	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	88
PID 460 wrote to memory of 1440	460	6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe	88
PID 1440 wrote to memory of 4704	1440	cmd.exe	90
PID 1440 wrote to memory of 4704	1440	cmd.exe	90
PID 1440 wrote to memory of 4704	1440	cmd.exe	90
PID 1440 wrote to memory of 3728	1440	cmd.exe	91
PID 1440 wrote to memory of 3728	1440	cmd.exe	91
PID 1440 wrote to memory of 3728	1440	cmd.exe	91
PID 1440 wrote to memory of 4976	1440	cmd.exe	92
PID 1440 wrote to memory of 4976	1440	cmd.exe	92
PID 1440 wrote to memory of 4976	1440	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe
"C:\Users\Admin\AppData\Local\Temp\6ba9caf5b6ce008df3e85986c46cb205262dd85c98f70c7f33f6016d6b6fabc8.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UpdateReg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\reg.exe
    REG Add HKLM\Software\BohaoSoft\Market2 /v Path /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\\" /f /reg:64
    3⤵
    - Modifies registry key
    PID:4704
- - C:\Windows\SysWOW64\reg.exe
    REG Add HKLM\Software\BohaoSoft\Market2 /v Version /t REG_SZ /d "2.98.1212" /f /reg:64
    3⤵
    - Modifies registry key
    PID:3728
- - C:\Windows\SysWOW64\reg.exe
    REG Add "HKLM\Software\ActiveXperts\Serial Port Component" /v LicenseKey /t REG_SZ /d "01EC7-5DB2E-86042" /f /reg:64
    3⤵
    PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UpdateReg.bat

Filesize
329B

MD5
43de8352f4873246b3feeff9171096d1

SHA1
d04e380fe82d9f54c616ba2773fdb5666915a101

SHA256
b9e5435fd27b228a82359bf946d7cdd65ccea06e4e23c07271e51129672196e7

SHA512
30e331b6b8f351ebf42b0cebdd848d132c0abddc5b07fb26cd71371ab71a6e559c36c72a14262153601944795e4331506b9f717db9962b14391b37ca4f9bb46c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads