Overview

overview

7

Static

static

3

TibiaLogin.exe

windows7-x64

3

TibiaLogin.exe

windows10-2004-x64

3

bpk.exe

windows7-x64

bpk.exe

windows10-2004-x64

bpkhk.dll

windows7-x64

1

bpkhk.dll

windows10-2004-x64

1

rinst.exe

windows7-x64

7

rinst.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rinst.exe

  • Size

    22KB

  • MD5

    9a00d512f9e1464ad793702cf2b1eda0

  • SHA1

    39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

  • SHA256

    98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

  • SHA512

    18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

  • SSDEEP

    384:c3PqIGR1uEtfWlXdbvoht0zsQHmr246v1hLqsHWuTqvhwp:aqZv3tfEbgIzsQHs6v1hLqQ9q

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rinst.exe
    "C:\Users\Admin\AppData\Local\Temp\rinst.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\TibiaLogin.exe
      "C:\Users\Admin\AppData\Local\Temp\TibiaLogin.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:748
    • C:\windows\SysWOW64\bpk.exe
      C:\windows\system32\bpk.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\bpk.exe
    Filesize

    408KB

    MD5

    a635bc1492e4c39ef47ed617d3dfe491

    SHA1

    353ae5d543aee4bd2084798308a82361336b34fb

    SHA256

    cd06f57e2e2956c634f851eb92666e9e24557fffbfcd098686e3d7fe03d8ffed

    SHA512

    e152eaaebc4a6a48d32ed2382e048f171d35200d1654cfb241f57612b655e921b8645e700f011d3638fda4bbc7f50e90ebdc24398664a9e553540b15a006b226

    Download Submit

  • C:\windows\SysWOW64\bpkhk.dll
    Filesize

    21KB

    MD5

    a11068817ba83d7b8c61a5c53c5a72ab

    SHA1

    cf4685ae095d5b1e92062c9d299cf9d250b6bab2

    SHA256

    0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

    SHA512

    a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

    Download Submit

  • C:\windows\SysWOW64\inst.dat
    Filesize

    1KB

    MD5

    e14485184a19cabb30538b7e16460844

    SHA1

    84c119193c04d622215c4cb72a5f6c7b31fe18c7

    SHA256

    7d1af779e34f0996305a67ee263bad73971d7d4f4c298642f1f041456aec422a

    SHA512

    6fc5f809c5ef765b066accb2caedae8b56e8536600838feffd3b0fe1ca406c718801ed37e789748cd080b69ec7518b09529285cbf035d294e42b4fa17f405818

    Download Submit

  • C:\windows\SysWOW64\pk.bin
    Filesize

    7KB

    MD5

    df86cf4366866f625faec3fdca4866da

    SHA1

    72764f5ce86d2d64ecff5f92809b1a8f1a8b5146

    SHA256

    e8633de442d49b4d2ce0409d3d17c73a897d2fa6412b261c1c86578f3d6e4f01

    SHA512

    63f05b96198ef6c6c2b6fe1d966a739d7ffc503b1a08aed89d68ddd884e998b580c68d8ffcbe4ce0f1cfd31ea8a347043b91ef88726c97eea8d521018fdaf92d

    Download Submit

  • C:\windows\SysWOW64\rinst.exe
    Filesize

    22KB

    MD5

    9a00d512f9e1464ad793702cf2b1eda0

    SHA1

    39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

    SHA256

    98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

    SHA512

    18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

    Download Submit