482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe
Size

111KB
MD5

5c3efbf72f43f9ac8d1251acbd05ad50
SHA1

6e81d4cc2c160ccea357cf6302e95c2592224a8b
SHA256

482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98
SHA512

daac2cceeb370ade0768900bd9a5bb0e20768d520e3f6abebf1564738d4203579772f66a005857aec676afc6c01309b3971e5841e81a827123917c6a8dc898d8
SSDEEP

768:sduwfCcAl2IRlNFQK33bP34DGltCJWx+7AppL4zG4dslM8lP+wgG0SXdkUr9AeXd:sdFwjl8K33DlN+aLHM8WSXjyo

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bpxuaz.exe

Executes dropped EXE 1 IoCs

pid	Process
2908	bpxuaz.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe
2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\bpxuaz = "C:\\Users\\Admin\\bpxuaz.exe"	bpxuaz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	2736	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpxuaz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe
2908	bpxuaz.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe
2908	bpxuaz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2908	2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe	30
PID 2736 wrote to memory of 2908	2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe	30
PID 2736 wrote to memory of 2908	2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe	30
PID 2736 wrote to memory of 2908	2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe	30
PID 2736 wrote to memory of 2708	2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe	31
PID 2736 wrote to memory of 2708	2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe	31
PID 2736 wrote to memory of 2708	2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe	31
PID 2736 wrote to memory of 2708	2736	482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2736	2908	bpxuaz.exe	29
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31
PID 2908 wrote to memory of 2708	2908	bpxuaz.exe	31

C:\Users\Admin\AppData\Local\Temp\482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe
"C:\Users\Admin\AppData\Local\Temp\482477317cdeef87ca3613a61c2008721e58312dc0bf8be4a4b6fb2650ec9f98N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\bpxuaz.exe
  "C:\Users\Admin\bpxuaz.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 808
  2⤵
  - Program crash
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\bpxuaz.exe

Filesize
111KB

MD5
de0cb21b42217b76ecfda0eba7c978cc

SHA1
3d9f0a191f2b36b259df7a6917fd433d5063fbd1

SHA256
a36e4179fffc9bfc7ced486b19d9c7da591f526e6bb213c983b3f572fa1cc7b6

SHA512
a854bee7a4f7305602c7d9c6cbb2109610472e2e6c6ad178193c6245a1c1281dff10df4988f3e0f752b44dc27537a3b10499fb9e746ecaf5edcaeb6faa44e3ef

Download Submit