a5d3fd5ce0ddfb1d038a1b923d82e76dd24c3ccbf4cba9a710fbeb59037d6695

Analysis

max time kernel
110s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be98ac6412a72807cd8720c197c12b3b.exe
Size

130KB
MD5

be98ac6412a72807cd8720c197c12b3b
SHA1

2dfb4254593f93f0b1212eb445d1394929ff3e8f
SHA256

a5d3fd5ce0ddfb1d038a1b923d82e76dd24c3ccbf4cba9a710fbeb59037d6695
SHA512

689b2ce963f43cdeb7d11952cafefa610edd66c275800abc5b1aa8845ee94042ca257f797bf244085e4bd821521271d86094f852bda53f9606cb710ff8fee833
SSDEEP

3072:sr+Fu2II+HiXMcI/AKJZ7vV9d300JKML5pbHRHKr+FuqII+H3:/MHD3/AKz7vV9zJKML5pbHPMH3

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	be98ac6412a72807cd8720c197c12b3b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	be98ac6412a72807cd8720c197c12b3b.exe

Executes dropped EXE 5 IoCs

pid	Process
2668	AE 0124 BE.exe
1112	winlogon.exe
500	AE 0124 BE.exe
2556	winlogon.exe
4216	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
500	AE 0124 BE.exe
2556	winlogon.exe
4216	winlogon.exe

Drops autorun.inf file 1 TTPs 24 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime	AE 0124 BE.exe
File opened for modification	C:\Windows\explorer.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Mobile	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v9.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCFxCommon	AE 0124 BE.exe
File opened for modification	C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.OracleClient.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\DigitalLocker	AE 0124 BE.exe
File opened for modification	C:\Windows\apppatch\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\PresentationCore	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\InputMethod	AE 0124 BE.exe
File opened for modification	C:\Windows\LiveKernelReports	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkc.nlp	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\sysglobl	AE 0124 BE.exe
File opened for modification	C:\Windows\DiagTrack	AE 0124 BE.exe
File opened for modification	C:\Windows\Web	AE 0124 BE.exe
File opened for modification	C:\Windows\appcompat\Programs\Amcache.hve.LOG1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEExecRemote	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Deployment.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClient	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop.Forms	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationCore.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.SmartTag	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Routing.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\ksc.nlp	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\apppatch\AppPatch64	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\pubpol24.dat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Install	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Aero	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design	AE 0124 BE.exe
File opened for modification	C:\Windows\addins	AE 0124 BE.exe
File opened for modification	C:\Windows\write.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\apppatch\fr-FR\AcRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Common.v9.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.OneNote	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Sentinel.v3.5Client	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IO.Log.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.WorkflowServices.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Web	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\srmlib.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Printing	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ReachFramework	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	be98ac6412a72807cd8720c197c12b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4136	be98ac6412a72807cd8720c197c12b3b.exe
1112	winlogon.exe
500	AE 0124 BE.exe
4216	winlogon.exe
2556	winlogon.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 2668	4136	be98ac6412a72807cd8720c197c12b3b.exe	98
PID 4136 wrote to memory of 2668	4136	be98ac6412a72807cd8720c197c12b3b.exe	98
PID 4136 wrote to memory of 2668	4136	be98ac6412a72807cd8720c197c12b3b.exe	98
PID 4136 wrote to memory of 1112	4136	be98ac6412a72807cd8720c197c12b3b.exe	100
PID 4136 wrote to memory of 1112	4136	be98ac6412a72807cd8720c197c12b3b.exe	100
PID 4136 wrote to memory of 1112	4136	be98ac6412a72807cd8720c197c12b3b.exe	100
PID 1112 wrote to memory of 500	1112	winlogon.exe	103
PID 1112 wrote to memory of 500	1112	winlogon.exe	103
PID 1112 wrote to memory of 500	1112	winlogon.exe	103
PID 1112 wrote to memory of 2556	1112	winlogon.exe	105
PID 1112 wrote to memory of 2556	1112	winlogon.exe	105
PID 1112 wrote to memory of 2556	1112	winlogon.exe	105
PID 500 wrote to memory of 4216	500	AE 0124 BE.exe	106
PID 500 wrote to memory of 4216	500	AE 0124 BE.exe	106
PID 500 wrote to memory of 4216	500	AE 0124 BE.exe	106

C:\Users\Admin\AppData\Local\Temp\be98ac6412a72807cd8720c197c12b3b.exe
"C:\Users\Admin\AppData\Local\Temp\be98ac6412a72807cd8720c197c12b3b.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\AE 0124 BE.exe
  "C:\Windows\AE 0124 BE.exe"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:500
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4216
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
be98ac6412a72807cd8720c197c12b3b

SHA1
2dfb4254593f93f0b1212eb445d1394929ff3e8f

SHA256
a5d3fd5ce0ddfb1d038a1b923d82e76dd24c3ccbf4cba9a710fbeb59037d6695

SHA512
689b2ce963f43cdeb7d11952cafefa610edd66c275800abc5b1aa8845ee94042ca257f797bf244085e4bd821521271d86094f852bda53f9606cb710ff8fee833

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
9694b9967f06f05125e6b254498be684

SHA1
020db87d38703703026ed978e147d1f6718c31ac

SHA256
273dbb6fbf2012f34b75040527b2a205dd063acddc5e302feaf809f6b0760b59

SHA512
59d80a55e55bda476292cdf55048b65b07df0595a52720e266636bced4c4a5d7b9b5dbc18d8a938cc96a1e5dd3c74fd1adea769d78298e3f0cbe7c9edcc5455a

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads