1338ec3c61a55f530cb2318bcf4bab95b5057212e65269a5768dd1de72cedf11

General

Target

b3c971bce842a6f20ec56123c7d47740.exe
Size

1.2MB
MD5

b3c971bce842a6f20ec56123c7d47740
SHA1

c8d22296c07888840c6723a665040f5586226c99
SHA256

1338ec3c61a55f530cb2318bcf4bab95b5057212e65269a5768dd1de72cedf11
SHA512

a0e30dc718905e9db4dd137b8fb1758aa9ed6657b615f4b3ddfbe0394ea27bbdda03c1757f64d60c0a77245ce97de01e61742c9059c2202aa5b2a9a6c3ae12db

Score

8^/10

persistence

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3924	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 648	512	b3c971bce842a6f20ec56123c7d47740.exe	67
PID 512 wrote to memory of 648	512	b3c971bce842a6f20ec56123c7d47740.exe	67
PID 512 wrote to memory of 648	512	b3c971bce842a6f20ec56123c7d47740.exe	67
PID 648 wrote to memory of 1044	648	bdif.exe	68
PID 648 wrote to memory of 1044	648	bdif.exe	68
PID 648 wrote to memory of 1044	648	bdif.exe	68
PID 648 wrote to memory of 1128	648	bdif.exe	70
PID 648 wrote to memory of 1128	648	bdif.exe	70
PID 648 wrote to memory of 1128	648	bdif.exe	70
PID 648 wrote to memory of 1388	648	bdif.exe	71
PID 648 wrote to memory of 1388	648	bdif.exe	71
PID 648 wrote to memory of 1388	648	bdif.exe	71
PID 648 wrote to memory of 1432	648	bdif.exe	72
PID 648 wrote to memory of 1432	648	bdif.exe	72
PID 648 wrote to memory of 1432	648	bdif.exe	72
PID 648 wrote to memory of 3628	648	bdif.exe	80
PID 648 wrote to memory of 3628	648	bdif.exe	80
PID 648 wrote to memory of 3628	648	bdif.exe	80
PID 648 wrote to memory of 4020	648	bdif.exe	81
PID 648 wrote to memory of 4020	648	bdif.exe	81
PID 648 wrote to memory of 4020	648	bdif.exe	81
PID 3628 wrote to memory of 3924	3628	cmd.exe	84
PID 3628 wrote to memory of 3924	3628	cmd.exe	84
PID 3628 wrote to memory of 3924	3628	cmd.exe	84

Executes dropped EXE 1 IoCs

pid	Process
648	bdif.exe

Loads dropped DLL 2 IoCs

pid	Process
1128	rundll32.exe
1432	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1128	rundll32.exe
1128	rundll32.exe
1128	rundll32.exe
1128	rundll32.exe

Blacklisted process makes network request 2 IoCs

flow	pid	Process
3	1128	rundll32.exe
7	1432	rundll32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	\??\c:\programdata\1321ba6d1f\bdif.exe:Zone.Identifier	b3c971bce842a6f20ec56123c7d47740.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\cred = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\cred.dll, Main"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\scr = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\scr.dll, Main"	REG.exe

C:\Users\Admin\AppData\Local\Temp\b3c971bce842a6f20ec56123c7d47740.exe
"C:\Users\Admin\AppData\Local\Temp\b3c971bce842a6f20ec56123c7d47740.exe"
1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
PID:512
- \??\c:\programdata\1321ba6d1f\bdif.exe
  c:\programdata\1321ba6d1f\bdif.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  PID:648
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\cred.dll, Main"
    3⤵
    - Adds Run key to start application
    PID:1044
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cred.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Blacklisted process makes network request
    PID:1128
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v scr /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\scr.dll, Main"
    3⤵
    - Adds Run key to start application
    PID:1388
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\scr.dll, Main
    3⤵
    - Loads dropped DLL
    - Blacklisted process makes network request
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
      4⤵
      Creates scheduled task(s)
      PID:3924
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\1321ba6d1f
    3⤵
    PID:4020