Overview

overview

10

Static

static

7

bf46c0f10d...0b.exe

windows7-x64

10

bf46c0f10d...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 23:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf46c0f10ddd3a16518cdd366c48830b.exe

  • Size

    344KB

  • MD5

    bf46c0f10ddd3a16518cdd366c48830b

  • SHA1

    1e5a63266a0fcfdcad8517e439f109977fbba0bc

  • SHA256

    30d17c665801b2bc713301552d45bad970be0e0ca90f09769a6ad385128ff12d

  • SHA512

    f35487040480142cbdb6be99b099471655d5f629c908607aaa988aecb99803b4a4119f5c4ab1c9754379cd372e355a91e202022590e9b677ceec3b9f7341e6a7

  • SSDEEP

    6144:9Hxi2fmOCRXHK4Ms/sjZfHyVZbGMGRC6xs/uZJkBYkRdTZCYGkoS:bJskj5SVoLRCBuEWkRdTEYGkoS

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 12 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf46c0f10ddd3a16518cdd366c48830b.exe
    "C:\Users\Admin\AppData\Local\Temp\bf46c0f10ddd3a16518cdd366c48830b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKhJZ.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "mrecss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\\small.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3100
    • C:\Users\Admin\AppData\Roaming\%NON%\small.exe
      "C:\Users\Admin\AppData\Roaming\%NON%\small.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Users\Admin\AppData\Roaming\%NON%\small.exe
        False
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3964
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4336
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:5104
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\%NON%\small.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\%NON%\small.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3232
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\%NON%\small.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\%NON%\small.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2712
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3684
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:1832
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SmallerDARK.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SmallerDARK.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3632
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SmallerDARK.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SmallerDARK.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:4040
      • C:\Users\Admin\AppData\Roaming\%NON%\small.exe
        False
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4596
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:5080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\xKhJZ.bat
      Filesize

      137B

      MD5

      b60a6d7bd543c2827d9ed1979606fcd6

      SHA1

      de48b503245a05dff5f67e3035e2f512dea8aaf1

      SHA256

      82ab509a50b5e03deee267ec940ea65c3588d54baf2986d08a90cd1a5f98dd71

      SHA512

      c8d654632362862f1a8484c4e7fbc779c73f2f9cd554ee890326865c81eea89142df743a573c00ed08e8a37190871d1c1f33d31e8721f10a036246e2e0113cd0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\%NON%\small.exe
      Filesize

      304KB

      MD5

      6edf0dad38ee583547a21f9829fb755d

      SHA1

      76e940f3b4019f9ae64311eb62b6a4c73ecb6d74

      SHA256

      e70c517fcc569b831ba1e904ef7f80392ab22db42185425fc0d8913d6e604b2c

      SHA512

      03d338a260d0752bf8d275715036e14b2caf43d06f710a7ad75081b1a858faf531ec427811997339e4b551c523dab870da04ea7277d195bba4135d2ffc81012e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\%NON%\small.exe
      Filesize

      344KB

      MD5

      bf46c0f10ddd3a16518cdd366c48830b

      SHA1

      1e5a63266a0fcfdcad8517e439f109977fbba0bc

      SHA256

      30d17c665801b2bc713301552d45bad970be0e0ca90f09769a6ad385128ff12d

      SHA512

      f35487040480142cbdb6be99b099471655d5f629c908607aaa988aecb99803b4a4119f5c4ab1c9754379cd372e355a91e202022590e9b677ceec3b9f7341e6a7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\%NON%\small.exe
      Filesize

      263KB

      MD5

      3b06b5f5cdfe306e70184c6dde901c1a

      SHA1

      c09a1d0a99c30560a8c58b7edad1b3913bb28dbb

      SHA256

      f997c4f8af89372dc15f7eaeddead1d66805f82d263b099f0aea08bb66c90454

      SHA512

      d2051d44a42a969794a39481f8dbbfac4b4ae8625ef9c0245edb58f5104d0890ac14fbdb48a633ca62e5c83388b76219a023ec43aaebdd86c14e774b54d601f3

      Download Submit

    • memory/3316-0-0x0000000000400000-0x0000000000777000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3316-4-0x0000000000400000-0x0000000000777000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3316-25-0x0000000000400000-0x0000000000777000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3964-33-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3964-49-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3964-30-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3964-60-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3964-58-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3964-55-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3964-51-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3964-44-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3964-21-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3964-46-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4020-36-0x0000000000400000-0x0000000000777000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/4596-45-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4596-32-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4596-35-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4596-23-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download