645377175c395442380c5127c969b233e7e419b34699338b35ac12019e9a4d9e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be838d8a3798aa2c819bc732169c4fda.exe
Size

1.7MB
MD5

be838d8a3798aa2c819bc732169c4fda
SHA1

6947bbafb56885590e82c777b048e57313c1d71d
SHA256

645377175c395442380c5127c969b233e7e419b34699338b35ac12019e9a4d9e
SHA512

bc8091ca319aa4058d37864a757ca108b44ff18da04ddf3dacce6ac3bf943454201aed7047491f4546340fa74456c3a27ce0adf2b60d771606597923d327d41c
SSDEEP

49152:ZdfNsO2VaBicRmu1sJhAb547NSOzAv62Szj4:yWgFiqSOzAv62K4

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3096	attrib.exe
1296	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	be838d8a3798aa2c819bc732169c4fda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	3.exe

Executes dropped EXE 5 IoCs

pid	Process
5832	1.exe
4800	2.exe
216	3.exe
4064	microchip.exe
4448	microchip.exe

Loads dropped DLL 4 IoCs

pid	Process
4064	microchip.exe
4448	microchip.exe
4064	microchip.exe
4448	microchip.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel = "C:\\WINDOWS\\System32\\cmd.exe"	microchip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel = "C:\\WINDOWS\\System32\\cmd.exe"	microchip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel = "C:\\WINDOWS\\System32\\cmd.exe"	microchip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel = "C:\\WINDOWS\\System32\\cmd.exe"	microchip.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "MICROCHIP SAY NO TE FREGUE POR COMPLETO LA PC POR BUENA GENTE"	microchip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "MICROCHIP SAY USA UN MEJOR ANTIVIRUS LA SGTE QUE ENTRE AQUI TE QUEMO LA PC!!!"	microchip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "MICROCHIP SAY NO TE FREGUE POR COMPLETO LA PC POR BUENA GENTE"	microchip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "MICROCHIP SAY USA UN MEJOR ANTIVIRUS LA SGTE QUE ENTRE AQUI TE QUEMO LA PC!!!"	microchip.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\3.exe	be838d8a3798aa2c819bc732169c4fda.exe
File opened for modification	C:\Windows\SysWOW64\ntldr\bz2.pyd	3.exe
File created	C:\Windows\SysWOW64\ntldr\microchip.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\ntldr\python25.dll	3.exe
File created	C:\Windows\SysWOW64\ntldr\library.zip	3.exe
File created	C:\Windows\SysWOW64\ntldr\python25.dll	3.exe
File opened for modification	C:\Windows\SysWOW64\ntldr\w9xpopen.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\ntldr\unicodedata.pyd	3.exe
File opened for modification	C:\Windows\SysWOW64\1.exe	be838d8a3798aa2c819bc732169c4fda.exe
File created	C:\Windows\SysWOW64\ntldr\bz2.pyd	3.exe
File created	C:\Windows\SysWOW64\ntldr\MSVCR71.dll	3.exe
File opened for modification	C:\Windows\SysWOW64\ntldr\MSVCR71.dll	3.exe
File created	C:\Windows\SysWOW64\ntldr\ntldr\ntldr	3.exe
File opened for modification	C:\Windows\SysWOW64\ntldr\ntldr\ntldr	3.exe
File opened for modification	C:\Windows\SysWOW64\2.exe	be838d8a3798aa2c819bc732169c4fda.exe
File opened for modification	C:\Windows\SysWOW64\ntldr\library.zip	3.exe
File opened for modification	C:\Windows\SysWOW64\ntldr\microchip.exe	3.exe
File created	C:\Windows\SysWOW64\ntldr\unicodedata.pyd	3.exe
File created	C:\Windows\SysWOW64\ntldr\w9xpopen.exe	3.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microchip\Microchip\Uninstall.exe	3.exe
File opened for modification	C:\Program Files (x86)\Microchip\Microchip\Uninstall.exe	3.exe
File created	C:\Program Files (x86)\Microchip\Microchip\Uninstall.ini	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5840	5832	WerFault.exe	89

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "INFECTADO POR MICROCHIP"	microchip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "INFECTADO POR MICROCHIP"	microchip.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4116	be838d8a3798aa2c819bc732169c4fda.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 5832	4116	be838d8a3798aa2c819bc732169c4fda.exe	89
PID 4116 wrote to memory of 5832	4116	be838d8a3798aa2c819bc732169c4fda.exe	89
PID 4116 wrote to memory of 5832	4116	be838d8a3798aa2c819bc732169c4fda.exe	89
PID 4116 wrote to memory of 4800	4116	be838d8a3798aa2c819bc732169c4fda.exe	90
PID 4116 wrote to memory of 4800	4116	be838d8a3798aa2c819bc732169c4fda.exe	90
PID 4116 wrote to memory of 4800	4116	be838d8a3798aa2c819bc732169c4fda.exe	90
PID 4116 wrote to memory of 216	4116	be838d8a3798aa2c819bc732169c4fda.exe	92
PID 4116 wrote to memory of 216	4116	be838d8a3798aa2c819bc732169c4fda.exe	92
PID 4116 wrote to memory of 216	4116	be838d8a3798aa2c819bc732169c4fda.exe	92
PID 216 wrote to memory of 4064	216	3.exe	98
PID 216 wrote to memory of 4064	216	3.exe	98
PID 216 wrote to memory of 4064	216	3.exe	98
PID 216 wrote to memory of 4448	216	3.exe	100
PID 216 wrote to memory of 4448	216	3.exe	100
PID 216 wrote to memory of 4448	216	3.exe	100
PID 4064 wrote to memory of 4588	4064	microchip.exe	102
PID 4064 wrote to memory of 4588	4064	microchip.exe	102
PID 4064 wrote to memory of 4588	4064	microchip.exe	102
PID 4448 wrote to memory of 5624	4448	microchip.exe	103
PID 4448 wrote to memory of 5624	4448	microchip.exe	103
PID 4448 wrote to memory of 5624	4448	microchip.exe	103
PID 4448 wrote to memory of 4464	4448	microchip.exe	104
PID 4448 wrote to memory of 4464	4448	microchip.exe	104
PID 4448 wrote to memory of 4464	4448	microchip.exe	104
PID 4064 wrote to memory of 2332	4064	microchip.exe	105
PID 4064 wrote to memory of 2332	4064	microchip.exe	105
PID 4064 wrote to memory of 2332	4064	microchip.exe	105
PID 4064 wrote to memory of 3320	4064	microchip.exe	106
PID 4064 wrote to memory of 3320	4064	microchip.exe	106
PID 4064 wrote to memory of 3320	4064	microchip.exe	106
PID 4448 wrote to memory of 548	4448	microchip.exe	107
PID 4448 wrote to memory of 548	4448	microchip.exe	107
PID 4448 wrote to memory of 548	4448	microchip.exe	107
PID 4064 wrote to memory of 3156	4064	microchip.exe	108
PID 4064 wrote to memory of 3156	4064	microchip.exe	108
PID 4064 wrote to memory of 3156	4064	microchip.exe	108
PID 3156 wrote to memory of 3096	3156	cmd.exe	109
PID 3156 wrote to memory of 3096	3156	cmd.exe	109
PID 3156 wrote to memory of 3096	3156	cmd.exe	109
PID 4448 wrote to memory of 4460	4448	microchip.exe	110
PID 4448 wrote to memory of 4460	4448	microchip.exe	110
PID 4448 wrote to memory of 4460	4448	microchip.exe	110
PID 4460 wrote to memory of 1296	4460	cmd.exe	111
PID 4460 wrote to memory of 1296	4460	cmd.exe	111
PID 4460 wrote to memory of 1296	4460	cmd.exe	111

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3096	attrib.exe
1296	attrib.exe

C:\Users\Admin\AppData\Local\Temp\be838d8a3798aa2c819bc732169c4fda.exe
"C:\Users\Admin\AppData\Local\Temp\be838d8a3798aa2c819bc732169c4fda.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\1.exe
  "C:\Windows\system32\1.exe"
  2⤵
  - Executes dropped EXE
  PID:5832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 440
    3⤵
    - Program crash
    PID:5840
- C:\Windows\SysWOW64\2.exe
  "C:\Windows\system32\2.exe"
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\SysWOW64\3.exe
  "C:\Windows\system32\3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\ntldr\microchip.exe
    "C:\Windows\system32\ntldr\microchip.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del /F /Q /A R S H C:\ntldr
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del /F /S /Q "%USERPROFILE%\Mis Documentos\*.*"
      4⤵
      PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del /F /S /Q "%USERPROFILE%\Escritorio\*.*"
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy "%Windir%\System32\ntldr\ntldr\ntldr" C:\ntldr & attrib C:\ntldr +s +h +r
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3156
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\ntldr +s +h +r
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3096
- - C:\Windows\SysWOW64\ntldr\microchip.exe
    "C:\Windows\system32\ntldr\microchip.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del /F /Q /A R S H C:\ntldr
      4⤵
      PID:5624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del /F /S /Q "%USERPROFILE%\Mis Documentos\*.*"
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del /F /S /Q "%USERPROFILE%\Escritorio\*.*"
      4⤵
      PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy "%Windir%\System32\ntldr\ntldr\ntldr" C:\ntldr & attrib C:\ntldr +s +h +r
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib C:\ntldr +s +h +r
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5832 -ip 5832
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1.exe

Filesize
185KB

MD5
bef840968d6ff6f2754a8509fc6ce51f

SHA1
6367786c504ef3710c2e6239db669bfead79d42f

SHA256
62e86f9fc8818e3a0efaea2b7970730e094633df4055f1cfa61c269ae30764b8

SHA512
39cfa8e18b9f1cb9d11148dc695658fd5407ecbde27f3b0aee07eb0b8b8e5a5987a85182d46c30dac57705b262b6cecd7341cf198a515405328e90e1e066ff6b

Download Submit
C:\Windows\SysWOW64\2.exe

Filesize
101KB

MD5
a2667bd36a0f42ce854f0ac2d3eb2ba3

SHA1
8090a0264ec11e0234c6410d24bf8093b8f91b0d

SHA256
af170aae7d7af56be028b53bbdaff80371182d9d78bb86f62adb6b8640d767ba

SHA512
cb85875625e6e9db2f946680ebfa280087d53f671f6f428d23f9c43d960c7f305efc0ebdffeb885e989ff04a5a6afe9adcc8f0135f0cc833bebbc317501e76d7

Download Submit
C:\Windows\SysWOW64\3.exe

Filesize
1.4MB

MD5
26bf74b7c38ade9642c468961bdd4215

SHA1
9114d22c3853eab07f4202edb886428ce5c84ba9

SHA256
46b125b11adb761bb021146df810a01d7d3a9a3f95f130ded2b9c92a66d7f916

SHA512
e0e74feefa92ec3a05176a8ca0fdff680a388d627dda6ae51a1ba703240000dc5de0ee56606f33b2ab40ba920c3f2bafd62b03dd08b0bf9242a80fc99542c9f3

Download Submit
C:\Windows\SysWOW64\ntldr\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Windows\SysWOW64\ntldr\PYTHON25.DLL

Filesize
2.0MB

MD5
75dce61897641e0a589a336c4e83babc

SHA1
8d2d868acdcf1c8566bfa404550252193d9ed6c3

SHA256
b7f180060b188c9b48c4301b5682a000796222919d8fff81b2000ef301c59432

SHA512
3c29d7816069232271c7a48492774e618ff3d0812103d06811ff6020121173e88ba540e878b591703dc4cc4133d5236c39be806cd85819a83374bdc77515033c

Download Submit
C:\Windows\SysWOW64\ntldr\library.zip

Filesize
697KB

MD5
e916ec0eed4151e5032932dd8c936019

SHA1
b0a88455422b9464ff52ec21b46b4e11ce883b94

SHA256
44a7f696cf694790f74c2504563f88fd0b34f032ad36092cd5386775644d5c9c

SHA512
e00bf5bf8be40547edb4cb967e3acea3f2052683b0fce62b15ce8597e3690a35594e52a6d728b1d5f9d4e42dd38d0791b72f55e7c491191dde7c53f23b6b4b5a

Download Submit
C:\Windows\SysWOW64\ntldr\microchip.exe

Filesize
20KB

MD5
b32825070b5c22eeab8465ed5e20d5cb

SHA1
3287631708e655476d1202110c45331084e4fec4

SHA256
c7a18f8a39886bcbc2d33baa0d2f1a5ed33eba02c900211f57743330a58d3361

SHA512
07f25f9b8816e5d04c313f2a3a3e63cade06455983ae028ad54a845ebfc3721ec0de49d1803a8b8d9572aa45d750b4743a1d57ba2fcf68e01ea34641fac7e885

Download Submit
C:\ntldr

Filesize
244KB

MD5
05265c7fc6e3d7fb619431126f686034

SHA1
b4261ebfd2236e5d032e0af7f0d423b375d960cc

SHA256
680feafa67645a33104ef85d68b5f3914288a9263353884135f9656f2fd44823

SHA512
5e0e815c28a217162c63081d74f8f9cb490e2ed734b21dbc05579949d74fe9d09f702ea5b8761f09ff3067a07a5f208d4e47b03df390bf9d3f1e72e69f5c7ddb

Download Submit
memory/216-74-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4800-28-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4800-37-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5832-55-0x00000000000E0000-0x000000000011B000-memory.dmp

Filesize
236KB

Download
memory/5832-15-0x00000000000E0000-0x000000000011B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads