Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
MARD_25_2/Point32.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
MARD_25_2/Point32.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
MARD_25_2/Update.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
MARD_25_2/Update.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
MARD_25_2/atwtusb.exe
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
MARD_25_2/atwtusb.exe
Resource
win10v2004-20240704-en
General
-
Target
MARD_25_2/Update.exe
-
Size
284KB
-
MD5
ae6f29676e667282d7a35007b4a546a3
-
SHA1
16cd9fb072b6b5209833db54a4f2e382fdba06d6
-
SHA256
5635cd7c6aad1bf6e1915d207a99c92d2bc48cbaeb673416cc5f913dd233309f
-
SHA512
ccfab3f8f1fbdf414d4164ee4d1080c08e44a312934befe338637e287427c3c49a35d28dcb36ffd3650fbdc5d5ec0565ed07f9a6c8ac8290c74ae6b686542296
-
SSDEEP
6144:FY94N434H7Kl8QiPaShZhcI9gzICFBYiA0ppw35RJx:29OVehCYSgZuB35RJx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Update.exerinst.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation rinst.exe -
Executes dropped EXE 3 IoCs
Processes:
rinst.exebpkvw.exebpk.exepid process 3180 rinst.exe 1444 bpkvw.exe 3980 bpk.exe -
Loads dropped DLL 4 IoCs
Processes:
bpk.exeUpdate.exepid process 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3008 Update.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bpk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe" bpk.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
bpk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" bpk.exe -
Drops file in System32 directory 7 IoCs
Processes:
rinst.exebpk.exedescription ioc process File created C:\Windows\SysWOW64\inst.dat rinst.exe File created C:\Windows\SysWOW64\rinst.exe rinst.exe File opened for modification C:\Windows\SysWOW64\pk.bin bpk.exe File created C:\Windows\SysWOW64\pk.bin rinst.exe File created C:\Windows\SysWOW64\bpk.exe rinst.exe File created C:\Windows\SysWOW64\bpkhk.dll rinst.exe File created C:\Windows\SysWOW64\bpkwb.dll rinst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 46 IoCs
Processes:
bpk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\bpkwb.dll" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\bpkwb.dll" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" bpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" bpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer bpk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
bpk.exepid process 3980 bpk.exe 3980 bpk.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
bpk.exepid process 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
bpkvw.exebpk.exepid process 1444 bpkvw.exe 3980 bpk.exe 1444 bpkvw.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe 3980 bpk.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Update.exerinst.exedescription pid process target process PID 3008 wrote to memory of 3180 3008 Update.exe rinst.exe PID 3008 wrote to memory of 3180 3008 Update.exe rinst.exe PID 3008 wrote to memory of 3180 3008 Update.exe rinst.exe PID 3180 wrote to memory of 1444 3180 rinst.exe bpkvw.exe PID 3180 wrote to memory of 1444 3180 rinst.exe bpkvw.exe PID 3180 wrote to memory of 1444 3180 rinst.exe bpkvw.exe PID 3180 wrote to memory of 3980 3180 rinst.exe bpk.exe PID 3180 wrote to memory of 3980 3180 rinst.exe bpk.exe PID 3180 wrote to memory of 3980 3180 rinst.exe bpk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MARD_25_2\Update.exe"C:\Users\Admin\AppData\Local\Temp\MARD_25_2\Update.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkvw.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkvw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1444 -
C:\Windows\SysWOW64\bpk.exeC:\Windows\system32\bpk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD5a563ec6e0a5cc4aded55f7feca8b4982
SHA176dc01f41aabb520ebbc759e85064edda5098ebf
SHA2562d95f78733d63eebcd9c2cbb07e890aee5476753077cf755ec6c66a0038b7933
SHA512c6f1548f3550bd746adbca9ca43cfdab0d2cf1c5a4031cc1a434647463bd398dfa4d4ae3dc33c7160a23ed8d9a393973aa19522d2ff4c6e900faa619a072a7bb
-
Filesize
24KB
MD5a7369f9e8a583f9cef28d7e8e3e0257e
SHA1468406b0eee1ae8fc14facc902411d201ec916d0
SHA2565fd8ebdba02d4ba0618941fe58fe76fc1ca8a2ff2c6eca8c01fc1b71694f6d52
SHA5125f4b3029e9156e1004bb34a85d08f5b63ade629713effa43798d67a3ebaf1efb90f7042027550eddb555b1f91b633379335fc854f0783aa91bb4dae911cce42f
-
Filesize
100KB
MD5029b2a6a1e4447a6cae43a31dde5c090
SHA195996ddca21aeac14b3ae9cd2d7eaa2028c0075e
SHA256194a84f543160bace83f251b980b287898cfbee882928eec246adbe4d9986a1b
SHA51290bb4d11d97b42dbdcbdd3362be2569663c65e3b418a0da1fff7df2a0d2361db1a15727a71484a8d37268d2ea780f9698053bece4e9ef376dccb40ec787e778f
-
Filesize
40KB
MD588d40103da5f45b1bfca411a1e86d02d
SHA1cb07ede059c8a6710ad2d6f6db4c5628c8f7b662
SHA256b9b1e3352965162fb55ced51ec53a688735d1d2fc4e383f0c9a44e743af8c2a0
SHA512aa1b6e5b5c50f874017e11f77b2f2fdf06b66b24aab3974f0a6e7e31887b1785967b916a7f2ec4041bab135e6e3e40ffe3d192ce973ba920c381e6c5ffb2b4e3
-
Filesize
996B
MD5bc0b0c55ae4fc8d050c218921d9edceb
SHA121ad23acb63d1d6a47f0dbb137cbd689dc1def93
SHA2560544d90f8bb933e74bf0fc4cdaf627d89531a1c2e49b7660d2beb416fa2fb43a
SHA51249d54906f22df0aa35fa9efe0636467b83b35278582d030fa466576fbfcde700ab16dd0ca62c0336135f99ab75389406e6b9fe6f0d99a25b174c24ced56a8973
-
Filesize
4KB
MD56d6c8fc2d09e9bb6c85473ab3ec19307
SHA1adeaf3258278762084fe5a61340f0853b73e527f
SHA2567944b3d613def163ddd058e79592bb621d01e2316bc8fb8ae5fe0d775a4c4c89
SHA512f7f6571b691f814d0d616afd7fed1c8bc2d160f3449016ef03dca354e34ff5305b893e1c3b89219832a23d799c0059fcb83bc0b630ca4d51b1b2458688838c6f
-
Filesize
7KB
MD5fbe4bab53f74d3049ef4b306d4cd8742
SHA16504b63908997a71a65997fa31eda4ae4de013e7
SHA256446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092
SHA512d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f
-
Filesize
424KB
MD5994ffae187f4e567c6efee378af66ad0
SHA10cc35d07e909b7f6595b9c698fe1a8b9b39c7def
SHA256f0b707b1ab25024ba5a65f68cd4380a66ef0ce9bb880a92e1feee818854fe423
SHA512bd5320327a24fbab8934395d272869bfa97d77a2ee44ac6eec8fa79b3ffbd4a049bf9dfeeb6b8cc946c295a07bd07ddba41d81c76d452d2c5587b4bf92559e0a
-
Filesize
24KB
MD59ac9028338d1b353a7cacb563bb91df7
SHA1a20c5dee8f05c91686324cec2d5b092bafe58339
SHA25693c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c
SHA512ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe
-
Filesize
40KB
MD521d4e01f38b5efd64ad6816fa0b44677
SHA15242d2c5b450c773b9fa3ad014a8aba9b7bb206a
SHA2563285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977
SHA51277dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8
-
Filesize
4KB
MD5fa9c2f2fd282a04b05c8ef655aa4e65f
SHA18ec4d422a89d73f14270307dae722ef2b7b0a0a1
SHA2563e1d35d62c785e152190047b6c41a74b091a3a077ed0d6390e646aba953a5a2d
SHA512496d6f0649c0295af8edd74830d1f3d07a2431449d1f946f9339cedbad9d3adb1d8332b0027b582d3e32758e480c0dee474dc91ad05b98afb995f868b77fa0a2