Analysis
-
max time kernel
110s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
be98ac6412a72807cd8720c197c12b3b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be98ac6412a72807cd8720c197c12b3b.exe
Resource
win10v2004-20240226-en
General
-
Target
be98ac6412a72807cd8720c197c12b3b.exe
-
Size
130KB
-
MD5
be98ac6412a72807cd8720c197c12b3b
-
SHA1
2dfb4254593f93f0b1212eb445d1394929ff3e8f
-
SHA256
a5d3fd5ce0ddfb1d038a1b923d82e76dd24c3ccbf4cba9a710fbeb59037d6695
-
SHA512
689b2ce963f43cdeb7d11952cafefa610edd66c275800abc5b1aa8845ee94042ca257f797bf244085e4bd821521271d86094f852bda53f9606cb710ff8fee833
-
SSDEEP
3072:sr+Fu2II+HiXMcI/AKJZ7vV9d300JKML5pbHRHKr+FuqII+H3:/MHD3/AKz7vV9zJKML5pbHPMH3
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe be98ac6412a72807cd8720c197c12b3b.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation be98ac6412a72807cd8720c197c12b3b.exe -
Executes dropped EXE 5 IoCs
pid Process 2668 AE 0124 BE.exe 1112 winlogon.exe 500 AE 0124 BE.exe 2556 winlogon.exe 4216 winlogon.exe -
Loads dropped DLL 3 IoCs
pid Process 500 AE 0124 BE.exe 2556 winlogon.exe 4216 winlogon.exe -
Drops autorun.inf file 1 TTPs 24 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime AE 0124 BE.exe File opened for modification C:\Windows\explorer.exe AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Mobile AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v9.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\MMCFxCommon AE 0124 BE.exe File opened for modification C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Management.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.OracleClient.Resources AE 0124 BE.exe File opened for modification C:\Windows\DigitalLocker AE 0124 BE.exe File opened for modification C:\Windows\apppatch\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\PresentationCore AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Resources AE 0124 BE.exe File opened for modification C:\Windows\InputMethod AE 0124 BE.exe File opened for modification C:\Windows\LiveKernelReports AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkc.nlp AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\CustomMarshalers AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\sysglobl AE 0124 BE.exe File opened for modification C:\Windows\DiagTrack AE 0124 BE.exe File opened for modification C:\Windows\Web AE 0124 BE.exe File opened for modification C:\Windows\appcompat\Programs\Amcache.hve.LOG1 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\IEExecRemote AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.JScript AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Deployment.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\UIAutomationClient AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop.Forms AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\PresentationCore.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.SmartTag AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Routing.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\ksc.nlp AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\Microsoft.Ink AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources AE 0124 BE.exe File opened for modification C:\Windows\apppatch\AppPatch64 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64 AE 0124 BE.exe File opened for modification C:\Windows\assembly\pubpol24.dat AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\mscorlib AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Install AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\PresentationFramework.Aero AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design AE 0124 BE.exe File opened for modification C:\Windows\addins AE 0124 BE.exe File opened for modification C:\Windows\write.exe AE 0124 BE.exe File opened for modification C:\Windows\apppatch\fr-FR\AcRes.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Common.v9.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.OneNote AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Sentinel.v3.5Client AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.IO.Log.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.WorkflowServices.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\System.Web AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\srmlib.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\System.Printing AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ReachFramework AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0 AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ be98ac6412a72807cd8720c197c12b3b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4136 be98ac6412a72807cd8720c197c12b3b.exe 1112 winlogon.exe 500 AE 0124 BE.exe 4216 winlogon.exe 2556 winlogon.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4136 wrote to memory of 2668 4136 be98ac6412a72807cd8720c197c12b3b.exe 98 PID 4136 wrote to memory of 2668 4136 be98ac6412a72807cd8720c197c12b3b.exe 98 PID 4136 wrote to memory of 2668 4136 be98ac6412a72807cd8720c197c12b3b.exe 98 PID 4136 wrote to memory of 1112 4136 be98ac6412a72807cd8720c197c12b3b.exe 100 PID 4136 wrote to memory of 1112 4136 be98ac6412a72807cd8720c197c12b3b.exe 100 PID 4136 wrote to memory of 1112 4136 be98ac6412a72807cd8720c197c12b3b.exe 100 PID 1112 wrote to memory of 500 1112 winlogon.exe 103 PID 1112 wrote to memory of 500 1112 winlogon.exe 103 PID 1112 wrote to memory of 500 1112 winlogon.exe 103 PID 1112 wrote to memory of 2556 1112 winlogon.exe 105 PID 1112 wrote to memory of 2556 1112 winlogon.exe 105 PID 1112 wrote to memory of 2556 1112 winlogon.exe 105 PID 500 wrote to memory of 4216 500 AE 0124 BE.exe 106 PID 500 wrote to memory of 4216 500 AE 0124 BE.exe 106 PID 500 wrote to memory of 4216 500 AE 0124 BE.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\be98ac6412a72807cd8720c197c12b3b.exe"C:\Users\Admin\AppData\Local\Temp\be98ac6412a72807cd8720c197c12b3b.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"2⤵
- Executes dropped EXE
PID:2668
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4216
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2556
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:2320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD5be98ac6412a72807cd8720c197c12b3b
SHA12dfb4254593f93f0b1212eb445d1394929ff3e8f
SHA256a5d3fd5ce0ddfb1d038a1b923d82e76dd24c3ccbf4cba9a710fbeb59037d6695
SHA512689b2ce963f43cdeb7d11952cafefa610edd66c275800abc5b1aa8845ee94042ca257f797bf244085e4bd821521271d86094f852bda53f9606cb710ff8fee833
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
130KB
MD59694b9967f06f05125e6b254498be684
SHA1020db87d38703703026ed978e147d1f6718c31ac
SHA256273dbb6fbf2012f34b75040527b2a205dd063acddc5e302feaf809f6b0760b59
SHA51259d80a55e55bda476292cdf55048b65b07df0595a52720e266636bced4c4a5d7b9b5dbc18d8a938cc96a1e5dd3c74fd1adea769d78298e3f0cbe7c9edcc5455a
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b