eaa3dd23cc0aaa9920d42ab19fd77bc8a196ca769522e14410f7314dfcb8948e

Analysis

max time kernel
364s
max time network
1588s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/07/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BasiliskV3_0099_FirmwareUpdater_v1.02.00_r1.exe
Size

21.6MB
MD5

a7cd1c302ac2307e938cfdd72a5fa46e
SHA1

20ed0d49e19f881ca96ef313e4e86aa97ec3eac4
SHA256

eaa3dd23cc0aaa9920d42ab19fd77bc8a196ca769522e14410f7314dfcb8948e
SHA512

bce1aeaa0839ff2de7d5bece3181359d5089d1dc34fbe00221458f9a7dcabea2124c7000497d8fdda2b5d26ca99644e1c4ce1de310ddeca0721349cd6cff13cb
SSDEEP

393216:XZYRO8cf3CntDJWVb6K/S/wfUPKqbUkx3eEQG+13q0WYxEjZrJixUoXuSZ:XZYR2KtDVmS4fUXleH13LKjGx4e

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1132	CustomerFWU2Point5.exe

Loads dropped DLL 12 IoCs

pid	Process
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe
1132	CustomerFWU2Point5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BasiliskV3_0099_FirmwareUpdater_v1.02.00_r1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CustomerFWU2Point5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 1132	4780	BasiliskV3_0099_FirmwareUpdater_v1.02.00_r1.exe	72
PID 4780 wrote to memory of 1132	4780	BasiliskV3_0099_FirmwareUpdater_v1.02.00_r1.exe	72
PID 4780 wrote to memory of 1132	4780	BasiliskV3_0099_FirmwareUpdater_v1.02.00_r1.exe	72

C:\Users\Admin\AppData\Local\Temp\BasiliskV3_0099_FirmwareUpdater_v1.02.00_r1.exe
"C:\Users\Admin\AppData\Local\Temp\BasiliskV3_0099_FirmwareUpdater_v1.02.00_r1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\CustomerFWU2Point5.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CustomerFWU2Point5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AccountManagerClient.dll

Filesize
85KB

MD5
89d56e1b1f4b4624e1ec4028c3d43e2d

SHA1
db3fe0c6b9c9bb34991d0131741c477a5fc063b0

SHA256
2cd0f79eb0336567430694378719f14e0592c0a220d33255f231a8eeb1e3b2f1

SHA512
14e4428dcc3aedb9ffca34be53dc8619d6d3f8ac0a9f5fdee7bb600acf94dff41de4a6e44378c28fce21668d01323146ab0955461ed4c313c49c0429937856f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AccountManagerCommon.dll

Filesize
145KB

MD5
99ab204d7c7c8a06348d4440ed3509b2

SHA1
4774b05f1696ab8812c0e21a23bed931efc83b99

SHA256
a3abce1cf68f068df4987d9afcfa66135df19ab5579abf1959df4ec2e5408b74

SHA512
6bc65cceed2409abd77b449c6beda63d50b994132b4f02200aa17e4b3aa2befc72ab08905f76371f577be5cc4a341bd98224017ec905fb3354a709c1b10c4d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ActionServiceCommon.dll

Filesize
102KB

MD5
7b384e81afee307038ff2f58464c0435

SHA1
5f21c129ba4512663fe3d21f6c4ae553fc633da7

SHA256
3a6771f7184886605d49e9f2919ccdc9e1262d9bb4cf47710eea9497942fd7d9

SHA512
e7430c4d888204291de50e6b1436d6bc7441f2674db3a1f59ebda560cb3de54c68bdb6f7a39ccf46505f64434f1bf5b12e6a905431d4bc3137062b1a7f745d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CustomProgressBar.dll

Filesize
10KB

MD5
f330db8b214a490c806427b60a0683f9

SHA1
1efc4410a250a412ec0c56d54baaac33df918878

SHA256
5b5f6e2f139e4d484e0ade33630af6c123246646ee526c5d58549ce72f77fe19

SHA512
206bfc19a9c7409b87226051e6ce5c9733cbb4e3c966b051cad84a410d6d1f455192198aceb899f2e56c765c8ba9115efc8c88d7a60500c1e3d926046cb760cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CustomerFWU2Point5.exe

Filesize
12.7MB

MD5
afb4ff23613e4bd191fd1a12089df26d

SHA1
94637e22f12b58f84ef59b8b0beaa34f4580c8cd

SHA256
5675cc57d5b6cd0c60bb18c467a5bc5ef4b4750b7b79b8eac6f9a92151de56c7

SHA512
9bba6a5c8c17618050a1b45e2b60c8f23751c4b2d4802f5fafce60b58df4a518b12ee8e0c87856da3997b67771f72771bbdf314027abcc08c0368f7f1782c18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DeviceUpdater.resources

Filesize
322KB

MD5
de621fddf0cacd284279e20ab02a1fac

SHA1
2beb3cb14356d9700aaf13fcb7c5c358e9fed227

SHA256
375d1457b1f78f62524efc9c46e8288065eb57ce1e830c6fb76d1c1c6cddda54

SHA512
f9be1b0b854da6466cb181a2cf7ede4ec12b4a7c9ff2ea644304f4d157706fe5aea8c3e9fce4af5943f22e2e2cc564335ee17b1a4280c36040af59fdb8eb0bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FWUpdaterDLL.dll

Filesize
1.9MB

MD5
d5cef51f625a67978890abc2e50247c9

SHA1
4e6419b9b71f9075a8562b685a6031e3146deb98

SHA256
7dccfd96b16bc5ff172087487a8c724ef597b812a22b94651179f988c40bdb50

SHA512
2af1297665deba7024f1b52cee81dc35126ec2639157915d27202a5918448cba2b0989985dae312902da7ebdb5746ea87688752ef2e742a6cf0617f58ad37efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RcClientBase.dll

Filesize
21KB

MD5
dec081ca650617a3ca9f54b8ec8ac61f

SHA1
5313c1a46c6835c59b12f151047c1157084abcbb

SHA256
a194735a2ae6a76df56236ace5d316734a632f7caaf47932ce37ca760603d177

SHA512
d6c57f27532f4c9356d45dca0928bf12768af66103dd06e7c6b2fd8293c0e3eda2a86f755056eca2a3d24a4eff59810b7a594ec31bda8bf52e43adacd8a830ed

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\winusb.dll

Filesize
23KB

MD5
d73fcf8da5ec0a15a0c00fe87ea8d32b

SHA1
205e61419312a7fae29fad112e7395c425c9ad46

SHA256
e31ce32dd66ef9e2ecc4ec4e5e94a5bb50ebbd4fa7fb698d754d057a245f8a6a

SHA512
f8c79e324c5e090d60bc56b54b768a755e32d71460df6eaae9d0ccd9aac786707eaf3da2ddb61fa35cdb112a1da90757dbac52436d73a246ace2c2190e59ab8f

Download Submit
memory/1132-86-0x0000000005E10000-0x000000000630E000-memory.dmp

Filesize
5.0MB

Download
memory/1132-109-0x0000000006A10000-0x0000000006A1A000-memory.dmp

Filesize
40KB

Download
memory/1132-100-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/1132-85-0x00000000004A0000-0x0000000001158000-memory.dmp

Filesize
12.7MB

Download
memory/1132-104-0x0000000005D50000-0x0000000005D78000-memory.dmp

Filesize
160KB

Download
memory/1132-96-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/1132-92-0x0000000005960000-0x000000000597A000-memory.dmp

Filesize
104KB

Download
memory/1132-87-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/1132-110-0x0000000072A00000-0x00000000730EE000-memory.dmp

Filesize
6.9MB

Download
memory/1132-84-0x0000000072A0E000-0x0000000072A0F000-memory.dmp

Filesize
4KB

Download
memory/1132-114-0x0000000008EE0000-0x0000000008EE8000-memory.dmp

Filesize
32KB

Download
memory/1132-115-0x0000000072A00000-0x00000000730EE000-memory.dmp

Filesize
6.9MB

Download
memory/1132-116-0x0000000072A0E000-0x0000000072A0F000-memory.dmp

Filesize
4KB

Download
memory/1132-117-0x0000000072A00000-0x00000000730EE000-memory.dmp

Filesize
6.9MB

Download