Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25-02-2024 11:38

General

  • Target

    LaunchBFH.exe

  • Size

    927KB

  • MD5

    d3c1c1a07fc43292e7e29e57c752d4c5

  • SHA1

    378c2bf9ece8f5db60f56fda569d24c413d64b55

  • SHA256

    80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684

  • SHA512

    d16e8e1da988314de0a130d67fe9f8eacd4c49084ed8e122ad11b2a8e0401fc1e1d1bd48f1cacd9742a447719390d93b5c1d32ef366502553a162740f3978adb

  • SSDEEP

    12288:SdPEXbCuPYDfFyTxAgY1jggLXKHeH82f3Mp6ot7amxgtxBR3Z2txznbQb0YNDSry:SlEXbCjFjgYlyFW3Mam6txBe91fPQ+Te

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe
    "C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2576
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        3⤵
          PID:2596
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2404
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          3⤵
            PID:2704
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 31021
            3⤵
              PID:1980
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 31021\Apply.pif
              3⤵
                PID:2420
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b Ink 31021\o
                3⤵
                  PID:2568
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif
                  31021\Apply.pif 31021\o
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:2452
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 524
                    4⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2296
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 5 127.0.0.1
                  3⤵
                  • Runs ping.exe
                  PID:2408
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe"
              1⤵
                PID:1876
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://www..com/
                1⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:1540
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1864

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                55ce7011a7b4e88b3b40463e3bfc2c3d

                SHA1

                0792e2833afbc558add007c4fdbf26795e361ef8

                SHA256

                4b08bbf2e979272e6a9a3454c5cafdcc628d37cd8879cdfed1ba20a4c87f8d61

                SHA512

                ff53adb357c6d25b6b011b9ffb60da9a1a9defd19e0eebfb62ab99c69968f9b44e897b9f87d65e210f957cde136a81feff4dfbc84b12c3edc1085ff964c86afb

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                76cec4e8e1814a6f79c90f743060ed12

                SHA1

                858406d4183a907a6055240836d4c07c3cb1b194

                SHA256

                bd43244f445327e5aa67eeb3190f4dd77ac8dd332a16b473182e1865ed8959d8

                SHA512

                2ca1bbb665e8f1e403b65a474d95f99a6f146b6ca3778f56b250d1d57c3681ec688b9afd322d33a4f47666bf8c37d617787f5702098ecb1f8e54c93871074d61

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                b91070cec78074383d5c92d0e691b16f

                SHA1

                de6076e4e25e5c1e2b2000968e5f195dcf9cb462

                SHA256

                02115bea5cd733cf232df0733225625f1fda7b5056ea94697f8c16b740216be5

                SHA512

                4756ab28da35d925bc2f6b84c4aadcfd979bbc9f6d18778f661a3449ac191bc67cd48999c3c9fd5ad70d8306a50ccba862a6a61c79225c45851781e18fc1d893

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                de953c7c3441aed99f52f7c61780aff7

                SHA1

                0649c4f5bb85b56ddc19c988e67c27e46f93feaa

                SHA256

                e2e6ef42b5d629942591f38504abab1c5f69f7c16c9bfb87a2561f7a8eeef810

                SHA512

                84aba2fc8ebed8987a62913e363446e931f5aac8e95aaeb10a74ee9d20f13479a194c1fb3f4019d9f7b8bf47be2cac2fe23e6988589015955248e5fdbbc65b90

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                42fe904015f0c6d61db6f8430d7e6a2b

                SHA1

                88799cb02055fd8d2d54e09f4505c32019d183f0

                SHA256

                69ff9b338accc1de8d5842c49fe44b2000be07322609afeb61babe443b1d08db

                SHA512

                2d10888c0ea5f9ac27e07928b9c98cd8540d8067cae6b2f6a67052bcb79bea91c4c3e7d4c5c8822475d1ef31ae5f46cd2abe8c39207df64ba10b81c6d852256b

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                89956660de1ac50cc2a0c35daa66d056

                SHA1

                f75237791fcfb252fe9aff360621fe63032bf4fd

                SHA256

                1c51130aa51cfbb96c938842a0a1b0233be55df84dbce75ef6a6b48e4155c6b3

                SHA512

                dbc1d13b120cb6b9c1e7cbd4720becd1562f0e5ffd510d83200af8fc46f261ad7f474143014f9a6594c1bab9baf2a84e2236ef3cfbe89c1c0bf042c763f5a6e1

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                8ca285cb9c522625afb609856f58308d

                SHA1

                426b9edf0f16be55c1530a470b9fa5ddf787690b

                SHA256

                1b0c732e83d0745a75e68b3c7ce3dcff6d2d1bc0838c866fc998beae691b3510

                SHA512

                85902ec4ba077f3c5e341d7b6bf3fd84d5418cb0497a2edc2af850ad55b13a14d145182e81e0f85fbf700f8743c8194bbfaabf2ab14165c8762d75484e1243e3

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                c9576bae33a92ad019c74aff2e910bcb

                SHA1

                cfe5f1990adc2de105a13a26f1cfc08b996c6867

                SHA256

                afa9e9f14951ad446088165e95b8d2e7aa9ac7b86bbfd07f9496aaea2e54ac19

                SHA512

                0a81d1d5c0af4aeefc05fdf5f3dddfc47e3b8157addbe04858de3f89ad893673982e627629379c780902ed8b8c59bed31680f11ef677547d9b2382de0fa1f50d

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                811fa369e0039322cdd65baee052a03c

                SHA1

                aca09a3b7b57d95d080b6e293cabef019af88030

                SHA256

                bbf0ca5f85bbcc33d73d4973543820c727f63c62d48a2016c3a5d75b20225d29

                SHA512

                c544a30068f84af29b2d48e7b8de417a155fe56f0a863b9a7c19b4bf910d71069499fc93e097220dba516668e423b47f96c0c25a7ff3ff109d8fd72d37c9e3e2

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Affordable

                Filesize

                142KB

                MD5

                e66c8890c2eb6adba5948d082bd215a6

                SHA1

                93a813794b38b728c8a6248c64221a419b026ce4

                SHA256

                99e62c44a3dbf370201324564c94be16ffb81b29c543ec5fd6f14e1a3be75e1a

                SHA512

                9b7546cee1ba82ff4db0a3598098be91bbd114e4a80116b15ac9ea106fa881b201eee6dda4ee91b2d917ecaab5bc2327dcd34047c60f122f6e0fdacb79e49d17

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cookbook

                Filesize

                213KB

                MD5

                e9db611974409fb7c1770fe95bfd5402

                SHA1

                ad077d6f8ad48bd4a8edbca88711cc4b7c71c1b5

                SHA256

                fc141ffe6bf256b8794c769feed25fa8bfeff01a60cdd2699e2d84e94585553c

                SHA512

                623694fdcc7acd66ed8170a158d2209706311566e04629c5a03b133902f729a554c3aaa6c85ef1163edaa3dfafd72d85b49f6edfa73e5419e57fac1d2f489799

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Increasingly

                Filesize

                289KB

                MD5

                863ce19b37f186c47a26882e399b9a81

                SHA1

                3843eded5fdd895e41694174d79789854bccada5

                SHA256

                0dbcc3e2ccfd18644f4ec3a24058cf6109e520b0c2213d8a083b5200696d20c6

                SHA512

                ca5323396012958b0269f4f0c1af62c0b26f593d061d81755060873dc270aa8680d4f61b00a445fc123d406d6f0e06fc1f7d45bc54c1efdc757b7e3531199f33

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ink

                Filesize

                701KB

                MD5

                baa1587c7effd1d982a3cfe987d0f4a2

                SHA1

                edf879652a193ac9f685a44fc8ff39da7571f803

                SHA256

                e4160779100599c8404fd1153f0af398df82c8a78ce0ae98e53fdcefdfcad60f

                SHA512

                68d8fdd4877ac7d97a238ad9fe2f91160bf71ea54cbb62bebe56dbfb00dcfe88d6291b9188ff6500caff28bd3b4518f4697e30227279f6059324e6756a995ea4

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Inventory

                Filesize

                12KB

                MD5

                b649c8b485f6b192061ad04a185f03dc

                SHA1

                6fb0cc214d6d55d400793c3d085d9ea98c7fbb87

                SHA256

                fee25a6fcbd1d1bfbeca85e9a97e882d1b4a0bc5a521838f8b6ee1fe6c7370e9

                SHA512

                e12fdc7e64f6b2ad9ef45b01ec7ab87bb1dba4c29e727517b9690018b2ec699bdd2173cf9eac8a0f3441c32ba8a952ab8de2b0bf63c6c47c94f56ba92bf2cbe3

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rounds

                Filesize

                280KB

                MD5

                12073c3269a07bf6bc9cd8b66462fc0f

                SHA1

                f3a762ef9933b82aeae112b09a231f140ed2363f

                SHA256

                12221e02174a5148dd215e1b1dcc81e47704be82e8dbc4e93eb9a664e582cbda

                SHA512

                e0c586ebb4b18a45345e293189ff52e83d974f52a76c0cd614ac28c6d50288e84f78fc28adeeb0d10adf3bae0a21789e59698e86a96012c2901a32406aceb206

              • C:\Users\Admin\AppData\Local\Temp\Cab45AB.tmp

                Filesize

                65KB

                MD5

                ac05d27423a85adc1622c714f2cb6184

                SHA1

                b0fe2b1abddb97837ea0195be70ab2ff14d43198

                SHA256

                c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                SHA512

                6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

              • C:\Users\Admin\AppData\Local\Temp\Tar4678.tmp

                Filesize

                171KB

                MD5

                9c0c641c06238516f27941aa1166d427

                SHA1

                64cd549fb8cf014fcd9312aa7a5b023847b6c977

                SHA256

                4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                SHA512

                936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

              • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\31021\Apply.pif

                Filesize

                924KB

                MD5

                848164d084384c49937f99d5b894253e

                SHA1

                3055ef803eeec4f175ebf120f94125717ee12444

                SHA256

                f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                SHA512

                aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

              • memory/2452-41-0x00000000039C0000-0x0000000003A09000-memory.dmp

                Filesize

                292KB

              • memory/2452-39-0x00000000039C0000-0x0000000003A09000-memory.dmp

                Filesize

                292KB

              • memory/2452-40-0x00000000039C0000-0x0000000003A09000-memory.dmp

                Filesize

                292KB

              • memory/2452-38-0x00000000039C0000-0x0000000003A09000-memory.dmp

                Filesize

                292KB

              • memory/2452-37-0x00000000039C0000-0x0000000003A09000-memory.dmp

                Filesize

                292KB

              • memory/2452-36-0x00000000039C0000-0x0000000003A09000-memory.dmp

                Filesize

                292KB

              • memory/2452-25-0x00000000777A0000-0x0000000077876000-memory.dmp

                Filesize

                856KB