5debeda2835def4c4f135d47aa5fc9d0ef39d5193e50a85b690332db62a8cafe

General

Target

d9cbb1b75b2ec76764fa80ef4ff42382.exe
Size

827KB
MD5

d9cbb1b75b2ec76764fa80ef4ff42382
SHA1

fc2c102ad05eda02088f21426a03257b095aab51
SHA256

5debeda2835def4c4f135d47aa5fc9d0ef39d5193e50a85b690332db62a8cafe
SHA512

ab8c5f63c39ed404e9ad28731107ad9405295207f80f2b8b2d7bc6b641da67400c29978845fcf97c6aed3981f5714c2f355c1dc40d1294b9a53185792458c5be

Score

8^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1844 rundll32.exe
1844 rundll32.exe
Blacklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

6 1844 rundll32.exe
10 1912 rundll32.exe
NTFS ADS 1 IoCs

Processes:

d9cbb1b75b2ec76764fa80ef4ff42382.exe

description ioc process

File created \??\c:\programdata\1321ba6d1f\bdif.exe:Zone.Identifier d9cbb1b75b2ec76764fa80ef4ff42382.exe

pid	process
1844	rundll32.exe
1844	rundll32.exe

flow	pid	process
6	1844	rundll32.exe
10	1912	rundll32.exe

description	ioc	process
File created	\??\c:\programdata\1321ba6d1f\bdif.exe:Zone.Identifier	d9cbb1b75b2ec76764fa80ef4ff42382.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeREG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\cred = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\cred.dll, Main"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\scr = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\scr.dll, Main"	REG.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

924 schtasks.exe

pid	process
924	schtasks.exe

Loads dropped DLL 10 IoCs

Processes:

d9cbb1b75b2ec76764fa80ef4ff42382.exerundll32.exerundll32.exe

pid	process
1496	d9cbb1b75b2ec76764fa80ef4ff42382.exe
1496	d9cbb1b75b2ec76764fa80ef4ff42382.exe
1844	rundll32.exe
1844	rundll32.exe
1844	rundll32.exe
1844	rundll32.exe
1912	rundll32.exe
1912	rundll32.exe
1912	rundll32.exe
1912	rundll32.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

d9cbb1b75b2ec76764fa80ef4ff42382.exebdif.execmd.exe

description	pid	process	target process
PID 1496 wrote to memory of 1600	1496	d9cbb1b75b2ec76764fa80ef4ff42382.exe	bdif.exe
PID 1496 wrote to memory of 1600	1496	d9cbb1b75b2ec76764fa80ef4ff42382.exe	bdif.exe
PID 1496 wrote to memory of 1600	1496	d9cbb1b75b2ec76764fa80ef4ff42382.exe	bdif.exe
PID 1496 wrote to memory of 1600	1496	d9cbb1b75b2ec76764fa80ef4ff42382.exe	bdif.exe
PID 1600 wrote to memory of 1764	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1764	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1764	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1764	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1844	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1844	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1844	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1844	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1844	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1844	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1844	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1916	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1916	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1916	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1916	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1912	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1912	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1912	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1912	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1912	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1912	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 1912	1600	bdif.exe	rundll32.exe
PID 1600 wrote to memory of 2012	1600	bdif.exe	cmd.exe
PID 1600 wrote to memory of 2012	1600	bdif.exe	cmd.exe
PID 1600 wrote to memory of 2012	1600	bdif.exe	cmd.exe
PID 1600 wrote to memory of 2012	1600	bdif.exe	cmd.exe
PID 1600 wrote to memory of 1212	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1212	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1212	1600	bdif.exe	REG.exe
PID 1600 wrote to memory of 1212	1600	bdif.exe	REG.exe
PID 2012 wrote to memory of 924	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 924	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 924	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 924	2012	cmd.exe	schtasks.exe

Executes dropped EXE 1 IoCs

Processes:

bdif.exe

pid process

1600 bdif.exe

pid	process
1600	bdif.exe

C:\Users\Admin\AppData\Local\Temp\d9cbb1b75b2ec76764fa80ef4ff42382.exe
"C:\Users\Admin\AppData\Local\Temp\d9cbb1b75b2ec76764fa80ef4ff42382.exe"
1⤵
- NTFS ADS
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496

\??\c:\programdata\1321ba6d1f\bdif.exe
c:\programdata\1321ba6d1f\bdif.exe
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\cred.dll, Main"
3⤵
- Adds Run key to start application
PID:1764

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cred.dll, Main
3⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Loads dropped DLL
PID:1844

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v scr /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\scr.dll, Main"
3⤵
- Adds Run key to start application
PID:1916

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\scr.dll, Main
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
4⤵
- Creates scheduled task(s)
PID:924

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\1321ba6d1f
3⤵
PID:1212