Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 10:02
Behavioral task
behavioral1
Sample
b87612276dc2138689b9a206136a6467.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
b87612276dc2138689b9a206136a6467.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
b87612276dc2138689b9a206136a6467.exe
-
Size
238KB
-
MD5
b87612276dc2138689b9a206136a6467
-
SHA1
b34ad762a48a782b8247568b587c994ad52fc8cf
-
SHA256
10817d8b50847998398ccc6fec54bf0ae5d19bd44223ca8fcce9d3eb51ab115c
-
SHA512
4390925f8e2c0dd4def428cabdc7d2ce7b889c92ad40960104dd2e1006078874ee74dd15e0c327597424edc5b664d08ee12f1a683860c00ca918d82a40e8a1ec
-
SSDEEP
6144:itUuNVrbzeXDvPTcQsn+AGMViH5urJglfWAem:buNV7mv4nGMViwrJg4A3
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SSCVIHOST.exe" b87612276dc2138689b9a206136a6467.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b87612276dc2138689b9a206136a6467.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/5080-0-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/files/0x000800000002321f-5.dat upx behavioral2/memory/5080-34-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-35-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-36-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-37-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-38-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-39-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-40-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-41-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-42-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-43-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-44-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-45-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-46-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-47-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/5080-48-0x0000000000400000-0x0000000000496000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\SSCVIHOST.exe" b87612276dc2138689b9a206136a6467.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\t: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\a: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\e: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\h: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\x: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\y: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\z: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\j: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\n: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\o: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\u: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\v: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\w: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\i: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\k: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\q: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\p: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\r: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\s: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\b: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\g: b87612276dc2138689b9a206136a6467.exe File opened (read-only) \??\l: b87612276dc2138689b9a206136a6467.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\SSCVIHOST.exe b87612276dc2138689b9a206136a6467.exe File opened for modification C:\Windows\SysWOW64\SSCVIHOST.exe b87612276dc2138689b9a206136a6467.exe File created C:\Windows\SysWOW64\blastclnnn.exe b87612276dc2138689b9a206136a6467.exe File opened for modification C:\Windows\SysWOW64\blastclnnn.exe b87612276dc2138689b9a206136a6467.exe File opened for modification C:\Windows\SysWOW64\autorun.ini b87612276dc2138689b9a206136a6467.exe File created C:\Windows\SysWOW64\setting.ini b87612276dc2138689b9a206136a6467.exe File opened for modification C:\Windows\SysWOW64\setting.ini b87612276dc2138689b9a206136a6467.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SSCVIHOST.exe b87612276dc2138689b9a206136a6467.exe File created C:\Windows\SSCVIHOST.exe b87612276dc2138689b9a206136a6467.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe 5080 b87612276dc2138689b9a206136a6467.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5080 wrote to memory of 4800 5080 b87612276dc2138689b9a206136a6467.exe 88 PID 5080 wrote to memory of 4800 5080 b87612276dc2138689b9a206136a6467.exe 88 PID 5080 wrote to memory of 4800 5080 b87612276dc2138689b9a206136a6467.exe 88 PID 4800 wrote to memory of 644 4800 cmd.exe 90 PID 4800 wrote to memory of 644 4800 cmd.exe 90 PID 4800 wrote to memory of 644 4800 cmd.exe 90 PID 5080 wrote to memory of 1708 5080 b87612276dc2138689b9a206136a6467.exe 91 PID 5080 wrote to memory of 1708 5080 b87612276dc2138689b9a206136a6467.exe 91 PID 5080 wrote to memory of 1708 5080 b87612276dc2138689b9a206136a6467.exe 91 PID 1708 wrote to memory of 5072 1708 cmd.exe 93 PID 1708 wrote to memory of 5072 1708 cmd.exe 93 PID 1708 wrote to memory of 5072 1708 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\b87612276dc2138689b9a206136a6467.exe"C:\Users\Admin\AppData\Local\Temp\b87612276dc2138689b9a206136a6467.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe3⤵PID:5072
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD5f25d2a4eedac8441f694574da0a2bc87
SHA11ecab6f201cba5e47c6dd8eae2efed501f0f88b2
SHA256fad83f9e14e7ee2fa56115e355524eda46031885385d511c4779885d56c13bf6
SHA51293ea6404e521d766b850d1fe9a61b488e45096235290ab8e501d5d326ecfcd90ad52c051b60bc29a6849b4e62f2059f4e21f682ab468d5c22f6a73de7674bfa9
-
Filesize
238KB
MD5b87612276dc2138689b9a206136a6467
SHA1b34ad762a48a782b8247568b587c994ad52fc8cf
SHA25610817d8b50847998398ccc6fec54bf0ae5d19bd44223ca8fcce9d3eb51ab115c
SHA5124390925f8e2c0dd4def428cabdc7d2ce7b889c92ad40960104dd2e1006078874ee74dd15e0c327597424edc5b664d08ee12f1a683860c00ca918d82a40e8a1ec
-
Filesize
12KB
MD52de88eba96002e16f0cfa890700f8c3e
SHA1bf7e61d1346a82c0e4b9ec086247c540d86c0770
SHA256b62e0c42cd5b7fe83c803d2d30548a14045d5bc7ed7dfc19e8a721e36ae5d580
SHA5128af4b351a05adaeb24f101673b01e1fa9da7f2ff54ce6d8c00ef14b14d1a9233fc0d6d8c60d0ca1da95ac5bb5e06e041ba9b84ae07b04208d7350af0348c55ae