a6d21d179c1f801bc655a19cbdb6a11f7050d4b81bc98696d9d2a2d9b63bf437

Analysis

max time kernel
26s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35016c4bc187c4a4a06866399fe35650.exe
Size

708KB
MD5

35016c4bc187c4a4a06866399fe35650
SHA1

53c87f60f44492453c3d6e94eee5f63464b029dd
SHA256

a6d21d179c1f801bc655a19cbdb6a11f7050d4b81bc98696d9d2a2d9b63bf437
SHA512

f596ee5b836a14bb0f046143892e772388789567541f15fbaba44b6e452d942e10bfadbc95b51474b452f894997c9c32f4e75730aa81dd2d3e5ad83c1c2489d9
SSDEEP

12288:ihdUZQ75UTWAnhZMYmPabdQNED+YnsdFtxDk5TLhuCDH1EoqWU:ivUZQNGWAnhZMzaSxYnsdWJluUc

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	35016c4bc187c4a4a06866399fe35650.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rnkfvrf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rnkfvrf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wszlzxj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wszlzxj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	35016c4bc187c4a4a06866399fe35650.exe

Executes dropped EXE 4 IoCs

pid	Process
2800	rnkfvrf.exe
2820	rnkfvrf.exe
2472	wszlzxj.exe
968	wszlzxj.exe

Loads dropped DLL 5 IoCs

pid	Process
2456	35016c4bc187c4a4a06866399fe35650.exe
2456	35016c4bc187c4a4a06866399fe35650.exe
2800	rnkfvrf.exe
2820	rnkfvrf.exe
2820	rnkfvrf.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rnkfvrf.exe	35016c4bc187c4a4a06866399fe35650.exe
File opened for modification	C:\Windows\SysWOW64\rnkfvrf.exe	35016c4bc187c4a4a06866399fe35650.exe
File created	C:\Windows\SysWOW64\wszlzxj.exe	rnkfvrf.exe
File opened for modification	C:\Windows\SysWOW64\wszlzxj.exe	rnkfvrf.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}	35016c4bc187c4a4a06866399fe35650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\ = "UPnP Service Provider Class"	35016c4bc187c4a4a06866399fe35650.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\InprocServer32	35016c4bc187c4a4a06866399fe35650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\InprocServer32\ = "C:\\Windows\\SysWOW64\\fdssdp.dll"	35016c4bc187c4a4a06866399fe35650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\InprocServer32\ThreadingModel = "Both"	35016c4bc187c4a4a06866399fe35650.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:474A6CD6	rnkfvrf.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	wszlzxj.exe
File created	C:\ProgramData\TEMP:474A6CD6	35016c4bc187c4a4a06866399fe35650.exe
File opened for modification	C:\ProgramData\TEMP:474A6CD6	35016c4bc187c4a4a06866399fe35650.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	2456	35016c4bc187c4a4a06866399fe35650.exe
Token: SeIncBasePriorityPrivilege	2456	35016c4bc187c4a4a06866399fe35650.exe
Token: 33	2456	35016c4bc187c4a4a06866399fe35650.exe
Token: SeIncBasePriorityPrivilege	2456	35016c4bc187c4a4a06866399fe35650.exe
Token: 33	2820	rnkfvrf.exe
Token: SeIncBasePriorityPrivilege	2820	rnkfvrf.exe
Token: 33	2820	rnkfvrf.exe
Token: SeIncBasePriorityPrivilege	2820	rnkfvrf.exe
Token: 33	968	wszlzxj.exe
Token: SeIncBasePriorityPrivilege	968	wszlzxj.exe
Token: 33	968	wszlzxj.exe
Token: SeIncBasePriorityPrivilege	968	wszlzxj.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2456	2548	35016c4bc187c4a4a06866399fe35650.exe	28
PID 2548 wrote to memory of 2456	2548	35016c4bc187c4a4a06866399fe35650.exe	28
PID 2548 wrote to memory of 2456	2548	35016c4bc187c4a4a06866399fe35650.exe	28
PID 2548 wrote to memory of 2456	2548	35016c4bc187c4a4a06866399fe35650.exe	28
PID 2548 wrote to memory of 2456	2548	35016c4bc187c4a4a06866399fe35650.exe	28
PID 2548 wrote to memory of 2456	2548	35016c4bc187c4a4a06866399fe35650.exe	28
PID 2456 wrote to memory of 2800	2456	35016c4bc187c4a4a06866399fe35650.exe	29
PID 2456 wrote to memory of 2800	2456	35016c4bc187c4a4a06866399fe35650.exe	29
PID 2456 wrote to memory of 2800	2456	35016c4bc187c4a4a06866399fe35650.exe	29
PID 2456 wrote to memory of 2800	2456	35016c4bc187c4a4a06866399fe35650.exe	29
PID 2800 wrote to memory of 2820	2800	rnkfvrf.exe	30
PID 2800 wrote to memory of 2820	2800	rnkfvrf.exe	30
PID 2800 wrote to memory of 2820	2800	rnkfvrf.exe	30
PID 2800 wrote to memory of 2820	2800	rnkfvrf.exe	30
PID 2800 wrote to memory of 2820	2800	rnkfvrf.exe	30
PID 2800 wrote to memory of 2820	2800	rnkfvrf.exe	30
PID 2820 wrote to memory of 2472	2820	rnkfvrf.exe	32
PID 2820 wrote to memory of 2472	2820	rnkfvrf.exe	32
PID 2820 wrote to memory of 2472	2820	rnkfvrf.exe	32
PID 2820 wrote to memory of 2472	2820	rnkfvrf.exe	32
PID 2472 wrote to memory of 968	2472	wszlzxj.exe	31
PID 2472 wrote to memory of 968	2472	wszlzxj.exe	31
PID 2472 wrote to memory of 968	2472	wszlzxj.exe	31
PID 2472 wrote to memory of 968	2472	wszlzxj.exe	31
PID 2472 wrote to memory of 968	2472	wszlzxj.exe	31
PID 2472 wrote to memory of 968	2472	wszlzxj.exe	31

C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe
"C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe
  "C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\rnkfvrf.exe
    C:\Windows\system32\rnkfvrf.exe 728 "C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\rnkfvrf.exe
      C:\Windows\system32\rnkfvrf.exe 728 "C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\wszlzxj.exe
        
        C:\Windows\system32\wszlzxj.exe 744 "C:\Windows\SysWOW64\rnkfvrf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472

C:\Windows\SysWOW64\wszlzxj.exe
C:\Windows\system32\wszlzxj.exe 744 "C:\Windows\SysWOW64\rnkfvrf.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rnkfvrf.exe

Filesize
92KB

MD5
b300a70019785e4eb4ea104fb9a0716c

SHA1
1461598ad8d1de0bac72691cff4143fc62f62216

SHA256
9925e96afb7cfebfdaee72fdc0c3168a30c6f21983a651f50cd438110ca83dfa

SHA512
baebe64e21b838598607f6f0162d8b7abac46555b60c58395d008ef74befbdf8e8f51a568a511710016ebb02466900a000e9f7886fff0f15d7c48d5769c9eea6

Download Submit
memory/968-90-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/968-91-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/968-93-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/968-95-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/968-96-0x0000000000290000-0x00000000002E6000-memory.dmp

Filesize
344KB

Download
memory/968-94-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/968-92-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/968-77-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/968-83-0x0000000000290000-0x00000000002E6000-memory.dmp

Filesize
344KB

Download
memory/968-74-0x0000000000290000-0x00000000002E6000-memory.dmp

Filesize
344KB

Download
memory/2456-13-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2456-9-0x0000000000300000-0x0000000000356000-memory.dmp

Filesize
344KB

Download
memory/2456-36-0x0000000002E50000-0x0000000002FE1000-memory.dmp

Filesize
1.6MB

Download
memory/2456-2-0x0000000000300000-0x0000000000356000-memory.dmp

Filesize
344KB

Download
memory/2456-16-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2456-17-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2456-47-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2456-1-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2456-41-0x0000000000300000-0x0000000000356000-memory.dmp

Filesize
344KB

Download
memory/2456-6-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2456-30-0x0000000002E50000-0x0000000002FE1000-memory.dmp

Filesize
1.6MB

Download
memory/2456-15-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2456-14-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2456-18-0x0000000000300000-0x0000000000356000-memory.dmp

Filesize
344KB

Download
memory/2456-12-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2472-86-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2472-72-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2548-0-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2548-46-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2548-4-0x0000000001DD0000-0x0000000001F61000-memory.dmp

Filesize
1.6MB

Download
memory/2800-85-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2800-35-0x00000000023F0000-0x0000000002581000-memory.dmp

Filesize
1.6MB

Download
memory/2800-34-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2820-73-0x0000000002EE0000-0x0000000003071000-memory.dmp

Filesize
1.6MB

Download
memory/2820-58-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2820-57-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2820-55-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2820-54-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2820-52-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2820-84-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2820-68-0x0000000002EE0000-0x0000000003071000-memory.dmp

Filesize
1.6MB

Download
memory/2820-56-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2820-53-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2820-37-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2820-48-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download
memory/2820-38-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2820-82-0x0000000000220000-0x0000000000276000-memory.dmp

Filesize
344KB

Download