6b4d1ddccb0760b0cbe5d392c9b0cc7d5a5eaa0be0772388e37c38a0aedb4f25

General

Target

13d8638ffa2728a85f5a4477c1698230N.exe
Size

974KB
MD5

13d8638ffa2728a85f5a4477c1698230
SHA1

0f09305284619740d8f71592bb630085f99992fa
SHA256

6b4d1ddccb0760b0cbe5d392c9b0cc7d5a5eaa0be0772388e37c38a0aedb4f25
SHA512

8aa021c7cbde119c05b32e7a3b4b8dc2a408cbdb924ca790819c19eacfffd53b3422391b73977896a02b76a424a28104f23d3b2aa3dcf6956eff19905616cfaa
SSDEEP

12288:lOOZpUtlwX+zc7V5Rn1JyfPcOOZpUtlwX+zc7V5Rn1JyfP:nZhNrRCfP6ZhNrRCfP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	XFGL.EXE

Loads dropped DLL 2 IoCs

pid	Process
1624	13d8638ffa2728a85f5a4477c1698230N.exe
1624	13d8638ffa2728a85f5a4477c1698230N.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\BZUN.EXE \"%1\" %*"	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	XFGL.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BZUN.EXE = "C:\\PerfLogs\\BZUN.EXE"	13d8638ffa2728a85f5a4477c1698230N.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\J:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\K:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\G:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\M:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\R:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\V:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\L:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\O:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\P:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\Q:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\S:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\T:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\N:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\I:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\U:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\E:	13d8638ffa2728a85f5a4477c1698230N.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\XFGL.EXE	13d8638ffa2728a85f5a4477c1698230N.exe
File created	C:\Program Files (x86)\WHRVO.EXE	13d8638ffa2728a85f5a4477c1698230N.exe
File created	C:\Program Files\IKQE.EXE	13d8638ffa2728a85f5a4477c1698230N.exe
File opened for modification	C:\Program Files\IKQE.EXE	13d8638ffa2728a85f5a4477c1698230N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13d8638ffa2728a85f5a4477c1698230N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XFGL.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\BZUN.EXE \"%1\" %*"	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	XFGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files\\IKQE.EXE \"%1\""	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files\\IKQE.EXE \"%1\""	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files\\IKQE.EXE %1"	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files\\IKQE.EXE %1"	13d8638ffa2728a85f5a4477c1698230N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3052	XFGL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 3052	1624	13d8638ffa2728a85f5a4477c1698230N.exe	30
PID 1624 wrote to memory of 3052	1624	13d8638ffa2728a85f5a4477c1698230N.exe	30
PID 1624 wrote to memory of 3052	1624	13d8638ffa2728a85f5a4477c1698230N.exe	30
PID 1624 wrote to memory of 3052	1624	13d8638ffa2728a85f5a4477c1698230N.exe	30

C:\Users\Admin\AppData\Local\Temp\13d8638ffa2728a85f5a4477c1698230N.exe
"C:\Users\Admin\AppData\Local\Temp\13d8638ffa2728a85f5a4477c1698230N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files\XFGL.EXE
  "C:\Program Files\XFGL.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\IKQE.EXE

Filesize
974KB

MD5
5724462643dfd13fd4693d1a77ab3596

SHA1
963ae9fefe70f429744406f83c9ce2e613d4d1cd

SHA256
6c5d4f8d2841a215d3a83bbe781b2bf9761647d572240c52d5759617616271cf

SHA512
75ece3705e9211376520e3b4ae65646bf1a03fa2d0a7aa831af9eb2ff8db3a812697576b1e6d85e1ab2c4c2991990309d51401f28c786c1de3646e3ac8e18f43

Download Submit
\Program Files\XFGL.EXE

Filesize
975KB

MD5
2fa4e56d12a2166c946863415f5602e0

SHA1
878bd640e5bf00a8d2952436846986a2d97feee5

SHA256
d4af2b95dd33bf2e0d9050d7db4cc9ba13e86a95081fea429af7d79cba7d8425

SHA512
813bbaf92b1c16b7554c384418afa85423265aaf073a4976ac567097253a43a4bcde7726dac4b43c885cd54e48098aeda54be0c2b584c2a57051f49cfcb42211

Download Submit
memory/1624-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1624-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3052-31-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-28-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-29-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-26-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3052-32-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-33-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-36-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-38-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-39-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3052-40-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads