18b6f2fa21221a9de5a62dfa194ed7a8f15fcb7eb42beb618ccd8c1e69d090af

General

Target

2532c567fc22c68524d1fa9ba2345164.exe
Size

70KB
MD5

2532c567fc22c68524d1fa9ba2345164
SHA1

7f5b2106c5c1e2a99a05acb6b58f216b37396c7f
SHA256

18b6f2fa21221a9de5a62dfa194ed7a8f15fcb7eb42beb618ccd8c1e69d090af
SHA512

263113fe93c0f77e4ac4795a642c336e36e3b49b7fa10567f78ce3c947d0705f1ca04aa3f4a27f109ad88e09cb7360c97741af135b9e59ed235f04ed9a3b7cac
SSDEEP

1536:R41IOJC/HwmjeFAuHL6B1xVJO6i4HQoe0FB58:i1dqSf0/OYHe

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2532c567fc22c68524d1fa9ba2345164.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdlbv.exe"	2532c567fc22c68524d1fa9ba2345164.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdlbv.exe	2532c567fc22c68524d1fa9ba2345164.exe
File opened for modification	C:\Windows\SysWOW64\kdlbv.exe	2532c567fc22c68524d1fa9ba2345164.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 564 set thread context of 1688	564	2532c567fc22c68524d1fa9ba2345164.exe	49

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo	2532c567fc22c68524d1fa9ba2345164.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International	2532c567fc22c68524d1fa9ba2345164.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
564	2532c567fc22c68524d1fa9ba2345164.exe
564	2532c567fc22c68524d1fa9ba2345164.exe
564	2532c567fc22c68524d1fa9ba2345164.exe
564	2532c567fc22c68524d1fa9ba2345164.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeSecurityPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeTakeOwnershipPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeLoadDriverPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeSystemProfilePrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeSystemtimePrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeProfSingleProcessPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeIncBasePriorityPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeCreatePagefilePrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeBackupPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeRestorePrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeShutdownPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeDebugPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeSystemEnvironmentPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeChangeNotifyPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeRemoteShutdownPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeUndockPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeManageVolumePrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeImpersonatePrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: SeCreateGlobalPrivilege	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: 33	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: 34	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: 35	564	2532c567fc22c68524d1fa9ba2345164.exe
Token: 36	564	2532c567fc22c68524d1fa9ba2345164.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 4176	564	2532c567fc22c68524d1fa9ba2345164.exe	50
PID 564 wrote to memory of 4176	564	2532c567fc22c68524d1fa9ba2345164.exe	50
PID 564 wrote to memory of 1688	564	2532c567fc22c68524d1fa9ba2345164.exe	49
PID 564 wrote to memory of 1688	564	2532c567fc22c68524d1fa9ba2345164.exe	49

C:\Users\Admin\AppData\Local\Temp\2532c567fc22c68524d1fa9ba2345164.exe
"C:\Users\Admin\AppData\Local\Temp\2532c567fc22c68524d1fa9ba2345164.exe"
1⤵
- Checks computer location settings
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:1688
- C:\Windows\bfsvc.exe
  C:\Windows\bfsvc.exe
  2⤵
  PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/564-1-0x000000006B800000-0x000000006B8F0000-memory.dmp

Filesize
960KB

Download
memory/564-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads