4b4a61da0d7985cdea867f2e6d9a79b3c6b6cbfc38949a84fbdf7814326764c4

General

Target

40afae529227a63296ddf9d4bbcd43c7.exe
Size

4.3MB
MD5

40afae529227a63296ddf9d4bbcd43c7
SHA1

23d6c1a8daca032c15f33a2359e46ebd68ed5ff7
SHA256

4b4a61da0d7985cdea867f2e6d9a79b3c6b6cbfc38949a84fbdf7814326764c4
SHA512

b6346023b4f4bc94da8f607c52e8009009c6ad4a683b5b5cea6cae19e7cf2be086dc748a886b175832749a7eb5dd9d529fc452323a7230004c4fad0010e07b4f
SSDEEP

98304:MytIEQaoqS5APK7r9Jwv45iv96v1eyZ4FpO+R0N:MytIE6q2Ay7r9JwoA6v3GpOTN

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3384	40afae529227a63296ddf9d4bbcd43c7.exe
3384	40afae529227a63296ddf9d4bbcd43c7.exe
3384	40afae529227a63296ddf9d4bbcd43c7.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	40afae529227a63296ddf9d4bbcd43c7.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	40afae529227a63296ddf9d4bbcd43c7.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	40afae529227a63296ddf9d4bbcd43c7.exe
File created	C:\Windows\assembly\Desktop.ini	40afae529227a63296ddf9d4bbcd43c7.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	40afae529227a63296ddf9d4bbcd43c7.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BouReyhan\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\BouReyhan\\Icon\\Document.ico"	40afae529227a63296ddf9d4bbcd43c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.brn\ = "BouReyhan"	40afae529227a63296ddf9d4bbcd43c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.brn\Content Type = "application/brn"	40afae529227a63296ddf9d4bbcd43c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BouReyhan\shell	40afae529227a63296ddf9d4bbcd43c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BouReyhan\shell\open	40afae529227a63296ddf9d4bbcd43c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BouReyhan\shell\open\command	40afae529227a63296ddf9d4bbcd43c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BouReyhan\DefaultIcon	40afae529227a63296ddf9d4bbcd43c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.brn	40afae529227a63296ddf9d4bbcd43c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BouReyhan	40afae529227a63296ddf9d4bbcd43c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BouReyhan\ = "BouReyhan Document"	40afae529227a63296ddf9d4bbcd43c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BouReyhan\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\40afae529227a63296ddf9d4bbcd43c7.exe \"%1\""	40afae529227a63296ddf9d4bbcd43c7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3384	40afae529227a63296ddf9d4bbcd43c7.exe
3384	40afae529227a63296ddf9d4bbcd43c7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3384	40afae529227a63296ddf9d4bbcd43c7.exe

C:\Users\Admin\AppData\Local\Temp\40afae529227a63296ddf9d4bbcd43c7.exe
"C:\Users\Admin\AppData\Local\Temp\40afae529227a63296ddf9d4bbcd43c7.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:3332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BouReyhan\Dll\System.Data.SQLite.dll

Filesize
883KB

MD5
80725a732aba27911402f9ca09fede23

SHA1
1051744f654a6d20590970f9335e1ef246f0fa67

SHA256
49261be7f20c9d9dfd1ff35d71e9f3b1b7de17f65581c67beed43d933f1eb85c

SHA512
b24c5e5e55751b46af7fefec92552e04ddb6051e81174c1cae2d80ed1eb8b2c355c7a1eea93074abaeadfddf30e17a7425f14716cd4f2dfc50048b7fbfba6b49

Download Submit
C:\Users\Admin\AppData\Roaming\BouReyhan\Dll\System.Data.SQLite.dll

Filesize
563KB

MD5
6e9024c2c0181144433811cb734a163a

SHA1
e472c3cb6d51d97b677c97ee379f549b477542ef

SHA256
73b45859af4c322e2bce7da2a8a596263ad494506711435b1ad87f979f0635b7

SHA512
8bbcc57e9607474553c7f9ed6336c8fe6f1089fb8bc434b1355706978bc31f50b062bafbc972df419565a319de5b30de495dbe53cbc4b79a3c8c995a61222b5f

Download Submit
C:\Users\Admin\AppData\Roaming\BouReyhan\Dll\System.Data.SQLite.dll

Filesize
597KB

MD5
e236ca73ffbaef26472b7f15da6f9741

SHA1
4616bf4aa6e5726f7d59200a8f3a06d48f2d1650

SHA256
3f53f6349e11f83fc993bc764df5cfa54a08f6bdc4ae2ae8557fa6eaf442a90d

SHA512
0bbb10b4669bf190928236095b516557f96e3af2aabcc9b5f3910fd41e52839c124ffd147da98f3585e82ea45fbc56bcf8de237fc2ad4c50c3ef42a5a79e7eb8

Download Submit
C:\Users\Admin\AppData\Roaming\BouReyhan\Dll\System.Data.SQLite.dll

Filesize
736KB

MD5
c2be7ec02cbdf3d954ca843735ea11ab

SHA1
a5f5195655c8e002ebd2754bf75b32572010d6d4

SHA256
c84c9b0f3f83c515baab238bcfb7ead0302a42e3c18213f5c64f2cc5fbc025dc

SHA512
b0053bd65ce1a9ac504d009524fb9f771fb7a256b5689dbea03e38af9e72f3eaf40ca78e11a34171ecc9678cbfb4ba553d1a000067912bd0631edb5a80c745ce

Download Submit
memory/3332-6-0x00007FF989AB0000-0x00007FF98A451000-memory.dmp

Filesize
9.6MB

Download
memory/3332-5-0x000000001A020000-0x000000001A040000-memory.dmp

Filesize
128KB

Download
memory/3332-14-0x00007FF989AB0000-0x00007FF98A451000-memory.dmp

Filesize
9.6MB

Download
memory/3332-20-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3332-7-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3332-9-0x000000001A450000-0x000000001A824000-memory.dmp

Filesize
3.8MB

Download
memory/3332-10-0x00007FF989AB0000-0x00007FF98A451000-memory.dmp

Filesize
9.6MB

Download
memory/3332-11-0x000000001AB60000-0x000000001AC96000-memory.dmp

Filesize
1.2MB

Download
memory/3332-12-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3384-21-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-49-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-8-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-0-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3384-4-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3384-3-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3384-2-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-1-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3384-46-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-13-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-54-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-99-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-100-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-101-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-102-0x000000000F440000-0x000000000F540000-memory.dmp

Filesize
1024KB

Download
memory/3384-104-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-105-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-106-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/3384-107-0x000000000F440000-0x000000000F540000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing