1338ec3c61a55f530cb2318bcf4bab95b5057212e65269a5768dd1de72cedf11

Analysis

max time kernel
138s
max time network
147s
platform
windows7_x64
resource
win7
submitted
29-07-2020 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3c971bce842a6f20ec56123c7d47740.exe
Size

1.2MB
MD5

b3c971bce842a6f20ec56123c7d47740
SHA1

c8d22296c07888840c6723a665040f5586226c99
SHA256

1338ec3c61a55f530cb2318bcf4bab95b5057212e65269a5768dd1de72cedf11
SHA512

a0e30dc718905e9db4dd137b8fb1758aa9ed6657b615f4b3ddfbe0394ea27bbdda03c1757f64d60c0a77245ce97de01e61742c9059c2202aa5b2a9a6c3ae12db

Score

8^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1904	rundll32.exe
1904	rundll32.exe

Blacklisted process makes network request 2 IoCs

flow	pid	Process
6	1904	rundll32.exe
10	1956	rundll32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	\??\c:\programdata\1321ba6d1f\bdif.exe:Zone.Identifier	b3c971bce842a6f20ec56123c7d47740.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\cred = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\cred.dll, Main"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\scr = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\scr.dll, Main"	REG.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
276	schtasks.exe

Loads dropped DLL 10 IoCs

pid	Process
1612	b3c971bce842a6f20ec56123c7d47740.exe
1612	b3c971bce842a6f20ec56123c7d47740.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1956	rundll32.exe
1956	rundll32.exe
1956	rundll32.exe
1956	rundll32.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 364	1612	b3c971bce842a6f20ec56123c7d47740.exe	24
PID 1612 wrote to memory of 364	1612	b3c971bce842a6f20ec56123c7d47740.exe	24
PID 1612 wrote to memory of 364	1612	b3c971bce842a6f20ec56123c7d47740.exe	24
PID 1612 wrote to memory of 364	1612	b3c971bce842a6f20ec56123c7d47740.exe	24
PID 364 wrote to memory of 1892	364	bdif.exe	27
PID 364 wrote to memory of 1892	364	bdif.exe	27
PID 364 wrote to memory of 1892	364	bdif.exe	27
PID 364 wrote to memory of 1892	364	bdif.exe	27
PID 364 wrote to memory of 1904	364	bdif.exe	28
PID 364 wrote to memory of 1904	364	bdif.exe	28
PID 364 wrote to memory of 1904	364	bdif.exe	28
PID 364 wrote to memory of 1904	364	bdif.exe	28
PID 364 wrote to memory of 1904	364	bdif.exe	28
PID 364 wrote to memory of 1904	364	bdif.exe	28
PID 364 wrote to memory of 1904	364	bdif.exe	28
PID 364 wrote to memory of 1960	364	bdif.exe	30
PID 364 wrote to memory of 1960	364	bdif.exe	30
PID 364 wrote to memory of 1960	364	bdif.exe	30
PID 364 wrote to memory of 1960	364	bdif.exe	30
PID 364 wrote to memory of 1956	364	bdif.exe	31
PID 364 wrote to memory of 1956	364	bdif.exe	31
PID 364 wrote to memory of 1956	364	bdif.exe	31
PID 364 wrote to memory of 1956	364	bdif.exe	31
PID 364 wrote to memory of 1956	364	bdif.exe	31
PID 364 wrote to memory of 1956	364	bdif.exe	31
PID 364 wrote to memory of 1956	364	bdif.exe	31
PID 364 wrote to memory of 1488	364	bdif.exe	35
PID 364 wrote to memory of 1488	364	bdif.exe	35
PID 364 wrote to memory of 1488	364	bdif.exe	35
PID 364 wrote to memory of 1488	364	bdif.exe	35
PID 364 wrote to memory of 528	364	bdif.exe	36
PID 364 wrote to memory of 528	364	bdif.exe	36
PID 364 wrote to memory of 528	364	bdif.exe	36
PID 364 wrote to memory of 528	364	bdif.exe	36
PID 1488 wrote to memory of 276	1488	cmd.exe	39
PID 1488 wrote to memory of 276	1488	cmd.exe	39
PID 1488 wrote to memory of 276	1488	cmd.exe	39
PID 1488 wrote to memory of 276	1488	cmd.exe	39

Executes dropped EXE 1 IoCs

pid	Process
364	bdif.exe

C:\Users\Admin\AppData\Local\Temp\b3c971bce842a6f20ec56123c7d47740.exe
"C:\Users\Admin\AppData\Local\Temp\b3c971bce842a6f20ec56123c7d47740.exe"
1⤵
- NTFS ADS
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- \??\c:\programdata\1321ba6d1f\bdif.exe
  c:\programdata\1321ba6d1f\bdif.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  PID:364
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\cred.dll, Main"
    3⤵
    - Adds Run key to start application
    PID:1892
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cred.dll, Main
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Blacklisted process makes network request
    - Loads dropped DLL
    PID:1904
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v scr /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\scr.dll, Main"
    3⤵
    - Adds Run key to start application
    PID:1960
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\scr.dll, Main
    3⤵
    - Blacklisted process makes network request
    - Loads dropped DLL
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
      4⤵
      Creates scheduled task(s)
      PID:276
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\1321ba6d1f
    3⤵
    PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads