Analysis
-
max time kernel
1562s -
max time network
1566s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
LaunchBFH.exe
Resource
win7-20240221-en
General
-
Target
LaunchBFH.exe
-
Size
927KB
-
MD5
d3c1c1a07fc43292e7e29e57c752d4c5
-
SHA1
378c2bf9ece8f5db60f56fda569d24c413d64b55
-
SHA256
80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684
-
SHA512
d16e8e1da988314de0a130d67fe9f8eacd4c49084ed8e122ad11b2a8e0401fc1e1d1bd48f1cacd9742a447719390d93b5c1d32ef366502553a162740f3978adb
-
SSDEEP
12288:SdPEXbCuPYDfFyTxAgY1jggLXKHeH82f3Mp6ot7amxgtxBR3Z2txznbQb0YNDSry:SlEXbCjFjgYlyFW3Mam6txBe91fPQ+Te
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Apply.pifpid process 2512 Apply.pif -
Loads dropped DLL 5 IoCs
Processes:
cmd.exeWerFault.exepid process 2596 cmd.exe 1944 WerFault.exe 1944 WerFault.exe 1944 WerFault.exe 1944 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1944 2512 WerFault.exe Apply.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2016 tasklist.exe 2568 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Apply.pifpid process 2512 Apply.pif 2512 Apply.pif 2512 Apply.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2016 tasklist.exe Token: SeDebugPrivilege 2568 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Apply.pifpid process 2512 Apply.pif 2512 Apply.pif 2512 Apply.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Apply.pifpid process 2512 Apply.pif 2512 Apply.pif 2512 Apply.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
LaunchBFH.execmd.exedescription pid process target process PID 2492 wrote to memory of 2596 2492 LaunchBFH.exe cmd.exe PID 2492 wrote to memory of 2596 2492 LaunchBFH.exe cmd.exe PID 2492 wrote to memory of 2596 2492 LaunchBFH.exe cmd.exe PID 2492 wrote to memory of 2596 2492 LaunchBFH.exe cmd.exe PID 2492 wrote to memory of 2596 2492 LaunchBFH.exe cmd.exe PID 2492 wrote to memory of 2596 2492 LaunchBFH.exe cmd.exe PID 2492 wrote to memory of 2596 2492 LaunchBFH.exe cmd.exe PID 2596 wrote to memory of 2016 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2016 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2016 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2016 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2016 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2016 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2016 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 3008 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 3008 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 3008 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 3008 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 3008 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 3008 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 3008 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 2568 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2568 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2568 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2568 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2568 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2568 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2568 2596 cmd.exe tasklist.exe PID 2596 wrote to memory of 2560 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 2560 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 2560 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 2560 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 2560 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 2560 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 2560 2596 cmd.exe findstr.exe PID 2596 wrote to memory of 2604 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2604 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2604 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2604 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2604 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2604 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2604 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2572 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2572 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2572 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2572 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2572 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2572 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2572 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2804 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2804 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2804 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2804 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2804 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2804 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2804 2596 cmd.exe cmd.exe PID 2596 wrote to memory of 2512 2596 cmd.exe Apply.pif PID 2596 wrote to memory of 2512 2596 cmd.exe Apply.pif PID 2596 wrote to memory of 2512 2596 cmd.exe Apply.pif PID 2596 wrote to memory of 2512 2596 cmd.exe Apply.pif PID 2596 wrote to memory of 2512 2596 cmd.exe Apply.pif PID 2596 wrote to memory of 2512 2596 cmd.exe Apply.pif PID 2596 wrote to memory of 2512 2596 cmd.exe Apply.pif PID 2596 wrote to memory of 2584 2596 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe"C:\Users\Admin\AppData\Local\Temp\LaunchBFH.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:3008
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:2560
-
C:\Windows\SysWOW64\cmd.execmd /c md 316803⤵PID:2604
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 31680\Apply.pif3⤵PID:2572
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Ink 31680\o3⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31680\Apply.pif31680\Apply.pif 31680\o3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 5244⤵
- Loads dropped DLL
- Program crash
PID:1944 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD5e66c8890c2eb6adba5948d082bd215a6
SHA193a813794b38b728c8a6248c64221a419b026ce4
SHA25699e62c44a3dbf370201324564c94be16ffb81b29c543ec5fd6f14e1a3be75e1a
SHA5129b7546cee1ba82ff4db0a3598098be91bbd114e4a80116b15ac9ea106fa881b201eee6dda4ee91b2d917ecaab5bc2327dcd34047c60f122f6e0fdacb79e49d17
-
Filesize
213KB
MD5e9db611974409fb7c1770fe95bfd5402
SHA1ad077d6f8ad48bd4a8edbca88711cc4b7c71c1b5
SHA256fc141ffe6bf256b8794c769feed25fa8bfeff01a60cdd2699e2d84e94585553c
SHA512623694fdcc7acd66ed8170a158d2209706311566e04629c5a03b133902f729a554c3aaa6c85ef1163edaa3dfafd72d85b49f6edfa73e5419e57fac1d2f489799
-
Filesize
289KB
MD5863ce19b37f186c47a26882e399b9a81
SHA13843eded5fdd895e41694174d79789854bccada5
SHA2560dbcc3e2ccfd18644f4ec3a24058cf6109e520b0c2213d8a083b5200696d20c6
SHA512ca5323396012958b0269f4f0c1af62c0b26f593d061d81755060873dc270aa8680d4f61b00a445fc123d406d6f0e06fc1f7d45bc54c1efdc757b7e3531199f33
-
Filesize
701KB
MD5baa1587c7effd1d982a3cfe987d0f4a2
SHA1edf879652a193ac9f685a44fc8ff39da7571f803
SHA256e4160779100599c8404fd1153f0af398df82c8a78ce0ae98e53fdcefdfcad60f
SHA51268d8fdd4877ac7d97a238ad9fe2f91160bf71ea54cbb62bebe56dbfb00dcfe88d6291b9188ff6500caff28bd3b4518f4697e30227279f6059324e6756a995ea4
-
Filesize
12KB
MD5b649c8b485f6b192061ad04a185f03dc
SHA16fb0cc214d6d55d400793c3d085d9ea98c7fbb87
SHA256fee25a6fcbd1d1bfbeca85e9a97e882d1b4a0bc5a521838f8b6ee1fe6c7370e9
SHA512e12fdc7e64f6b2ad9ef45b01ec7ab87bb1dba4c29e727517b9690018b2ec699bdd2173cf9eac8a0f3441c32ba8a952ab8de2b0bf63c6c47c94f56ba92bf2cbe3
-
Filesize
280KB
MD512073c3269a07bf6bc9cd8b66462fc0f
SHA1f3a762ef9933b82aeae112b09a231f140ed2363f
SHA25612221e02174a5148dd215e1b1dcc81e47704be82e8dbc4e93eb9a664e582cbda
SHA512e0c586ebb4b18a45345e293189ff52e83d974f52a76c0cd614ac28c6d50288e84f78fc28adeeb0d10adf3bae0a21789e59698e86a96012c2901a32406aceb206
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a