Analysis
-
max time kernel
175s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
09-02-2022 00:56
Static task
static1
Behavioral task
behavioral1
Sample
2022-02-06 build_dl.exe
Resource
win7-en-20211208
General
-
Target
2022-02-06 build_dl.exe
-
Size
3.9MB
-
MD5
095715a96975ef7b9e17d0a39739e0cc
-
SHA1
aa090944875fb9bd5b1e8b3775592eea5ceeb186
-
SHA256
15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
-
SHA512
ab76c374c995501ef57c4f46602e0df16188ccb6f69bb4c9c84073e48c664000912353a47ed5758c48735c64ca1167f73b02c41d4cfefea9978e3a219c12ce11
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
2022-02-06 build_dl.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts 2022-02-06 build_dl.exe -
Executes dropped EXE 2 IoCs
Processes:
1644371941.exe1644371963.exepid process 3832 1644371941.exe 540 1644371963.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2022-02-06 build_dl.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2022-02-06 build_dl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2022-02-06 build_dl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2280-130-0x00000000004F0000-0x0000000001092000-memory.dmp themida behavioral2/memory/2280-132-0x00000000004F0000-0x0000000001092000-memory.dmp themida behavioral2/memory/2280-133-0x00000000004F0000-0x0000000001092000-memory.dmp themida behavioral2/memory/2280-134-0x00000000004F0000-0x0000000001092000-memory.dmp themida behavioral2/memory/2280-135-0x00000000004F0000-0x0000000001092000-memory.dmp themida behavioral2/memory/2280-136-0x00000000004F0000-0x0000000001092000-memory.dmp themida behavioral2/memory/2280-137-0x00000000004F0000-0x0000000001092000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2022-02-06 build_dl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCU = "C:\\Windows\\BCU.exe" 2022-02-06 build_dl.exe -
Processes:
2022-02-06 build_dl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2022-02-06 build_dl.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2022-02-06 build_dl.exepid process 2280 2022-02-06 build_dl.exe -
Drops file in Windows directory 4 IoCs
Processes:
2022-02-06 build_dl.exesvchost.exeattrib.exedescription ioc process File created C:\Windows\1644371963.exe 2022-02-06 build_dl.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\BCU.exe attrib.exe File created C:\Windows\1644371941.exe 2022-02-06 build_dl.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3464 ipconfig.exe -
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 29 Go-http-client/1.1 HTTP User-Agent header 59 Go-http-client/1.1 -
Modifies data under HKEY_USERS 45 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4132" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.545955" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132890183684962028" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1980 powershell.exe 1980 powershell.exe 3724 powershell.exe 3724 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 1032 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exewhoami.exewhoami.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 2960 whoami.exe Token: SeDebugPrivilege 3048 whoami.exe Token: SeIncreaseQuotaPrivilege 1712 WMIC.exe Token: SeSecurityPrivilege 1712 WMIC.exe Token: SeTakeOwnershipPrivilege 1712 WMIC.exe Token: SeLoadDriverPrivilege 1712 WMIC.exe Token: SeSystemProfilePrivilege 1712 WMIC.exe Token: SeSystemtimePrivilege 1712 WMIC.exe Token: SeProfSingleProcessPrivilege 1712 WMIC.exe Token: SeIncBasePriorityPrivilege 1712 WMIC.exe Token: SeCreatePagefilePrivilege 1712 WMIC.exe Token: SeBackupPrivilege 1712 WMIC.exe Token: SeRestorePrivilege 1712 WMIC.exe Token: SeShutdownPrivilege 1712 WMIC.exe Token: SeDebugPrivilege 1712 WMIC.exe Token: SeSystemEnvironmentPrivilege 1712 WMIC.exe Token: SeRemoteShutdownPrivilege 1712 WMIC.exe Token: SeUndockPrivilege 1712 WMIC.exe Token: SeManageVolumePrivilege 1712 WMIC.exe Token: 33 1712 WMIC.exe Token: 34 1712 WMIC.exe Token: 35 1712 WMIC.exe Token: 36 1712 WMIC.exe Token: SeIncreaseQuotaPrivilege 1712 WMIC.exe Token: SeSecurityPrivilege 1712 WMIC.exe Token: SeTakeOwnershipPrivilege 1712 WMIC.exe Token: SeLoadDriverPrivilege 1712 WMIC.exe Token: SeSystemProfilePrivilege 1712 WMIC.exe Token: SeSystemtimePrivilege 1712 WMIC.exe Token: SeProfSingleProcessPrivilege 1712 WMIC.exe Token: SeIncBasePriorityPrivilege 1712 WMIC.exe Token: SeCreatePagefilePrivilege 1712 WMIC.exe Token: SeBackupPrivilege 1712 WMIC.exe Token: SeRestorePrivilege 1712 WMIC.exe Token: SeShutdownPrivilege 1712 WMIC.exe Token: SeDebugPrivilege 1712 WMIC.exe Token: SeSystemEnvironmentPrivilege 1712 WMIC.exe Token: SeRemoteShutdownPrivilege 1712 WMIC.exe Token: SeUndockPrivilege 1712 WMIC.exe Token: SeManageVolumePrivilege 1712 WMIC.exe Token: 33 1712 WMIC.exe Token: 34 1712 WMIC.exe Token: 35 1712 WMIC.exe Token: 36 1712 WMIC.exe Token: SeDebugPrivilege 3724 powershell.exe Token: SeIncreaseQuotaPrivilege 400 WMIC.exe Token: SeSecurityPrivilege 400 WMIC.exe Token: SeTakeOwnershipPrivilege 400 WMIC.exe Token: SeLoadDriverPrivilege 400 WMIC.exe Token: SeSystemProfilePrivilege 400 WMIC.exe Token: SeSystemtimePrivilege 400 WMIC.exe Token: SeProfSingleProcessPrivilege 400 WMIC.exe Token: SeIncBasePriorityPrivilege 400 WMIC.exe Token: SeCreatePagefilePrivilege 400 WMIC.exe Token: SeBackupPrivilege 400 WMIC.exe Token: SeRestorePrivilege 400 WMIC.exe Token: SeShutdownPrivilege 400 WMIC.exe Token: SeDebugPrivilege 400 WMIC.exe Token: SeSystemEnvironmentPrivilege 400 WMIC.exe Token: SeRemoteShutdownPrivilege 400 WMIC.exe Token: SeUndockPrivilege 400 WMIC.exe Token: SeManageVolumePrivilege 400 WMIC.exe Token: 33 400 WMIC.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
2022-02-06 build_dl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2280 wrote to memory of 1452 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 1452 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 1032 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 1032 2280 2022-02-06 build_dl.exe cmd.exe PID 1452 wrote to memory of 1980 1452 cmd.exe powershell.exe PID 1452 wrote to memory of 1980 1452 cmd.exe powershell.exe PID 2280 wrote to memory of 1752 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 1752 2280 2022-02-06 build_dl.exe cmd.exe PID 1752 wrote to memory of 1196 1752 cmd.exe netsh.exe PID 1752 wrote to memory of 1196 1752 cmd.exe netsh.exe PID 2280 wrote to memory of 2404 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 2404 2280 2022-02-06 build_dl.exe cmd.exe PID 2404 wrote to memory of 2960 2404 cmd.exe whoami.exe PID 2404 wrote to memory of 2960 2404 cmd.exe whoami.exe PID 2280 wrote to memory of 1140 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 1140 2280 2022-02-06 build_dl.exe cmd.exe PID 1140 wrote to memory of 3048 1140 cmd.exe whoami.exe PID 1140 wrote to memory of 3048 1140 cmd.exe whoami.exe PID 2280 wrote to memory of 2752 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 2752 2280 2022-02-06 build_dl.exe cmd.exe PID 2752 wrote to memory of 1712 2752 cmd.exe WMIC.exe PID 2752 wrote to memory of 1712 2752 cmd.exe WMIC.exe PID 2280 wrote to memory of 3540 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 3540 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 3416 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 3416 2280 2022-02-06 build_dl.exe cmd.exe PID 3416 wrote to memory of 3060 3416 cmd.exe reg.exe PID 3416 wrote to memory of 3060 3416 cmd.exe reg.exe PID 3540 wrote to memory of 3464 3540 cmd.exe ipconfig.exe PID 3540 wrote to memory of 3464 3540 cmd.exe ipconfig.exe PID 2280 wrote to memory of 2152 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 2152 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 2220 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 2220 2280 2022-02-06 build_dl.exe cmd.exe PID 2220 wrote to memory of 3724 2220 cmd.exe powershell.exe PID 2220 wrote to memory of 3724 2220 cmd.exe powershell.exe PID 2280 wrote to memory of 2996 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 2996 2280 2022-02-06 build_dl.exe cmd.exe PID 2996 wrote to memory of 400 2996 cmd.exe WMIC.exe PID 2996 wrote to memory of 400 2996 cmd.exe WMIC.exe PID 2280 wrote to memory of 1616 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 1616 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 1272 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 1272 2280 2022-02-06 build_dl.exe cmd.exe PID 1272 wrote to memory of 1784 1272 cmd.exe WMIC.exe PID 1272 wrote to memory of 1784 1272 cmd.exe WMIC.exe PID 2280 wrote to memory of 3476 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 3476 2280 2022-02-06 build_dl.exe cmd.exe PID 3476 wrote to memory of 3832 3476 cmd.exe 1644371941.exe PID 3476 wrote to memory of 3832 3476 cmd.exe 1644371941.exe PID 3476 wrote to memory of 3832 3476 cmd.exe 1644371941.exe PID 2280 wrote to memory of 640 2280 2022-02-06 build_dl.exe cmd.exe PID 2280 wrote to memory of 640 2280 2022-02-06 build_dl.exe cmd.exe PID 640 wrote to memory of 540 640 cmd.exe 1644371963.exe PID 640 wrote to memory of 540 640 cmd.exe 1644371963.exe PID 640 wrote to memory of 540 640 cmd.exe 1644371963.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe"C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe"1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /Q /C move /Y "C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe" C:\Windows\BCU.exe2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\cmd.execmd /C "netsh advfirewall firewall add rule name=\"BCU\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe\" enable=yes"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name=\"BCU\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\2022-02-06 build_dl.exe\" enable=yes3⤵
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C whoami2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /Q /C reg add "HKCU\Software\Networking Service" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Networking Service" /f3⤵
-
C:\Windows\system32\cmd.execmd /C "ipconfig //flushdns"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig //flushdns3⤵
- Gathers network information
-
C:\Windows\system32\cmd.execmd /C "attrib +S +H C:\Windows\BCU.exe"2⤵
-
C:\Windows\system32\attrib.exeattrib +S +H C:\Windows\BCU.exe3⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C ver2⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
-
C:\Windows\system32\cmd.execmd /C start C:\Windows\1644371941.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\1644371941.exeC:\Windows\1644371941.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.execmd /C start C:\Windows\1644371963.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\1644371963.exeC:\Windows\1644371963.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Defense Evasion
Virtualization/Sandbox Evasion
1Hidden Files and Directories
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Windows\1644371941.exeMD5
a543da3f43f931ca56bea6ac81eb0815
SHA144d3794cad034ea8666d8f60e1c3d6e3e8771ae1
SHA256b7ca36e5ef33a32da7e256d4694738df05a52c72098868e9ab0eecf53b1818dc
SHA512c8fa431bd747dad01637cfa3ae1ce562010f027be2b8fe304ba83571f5ad9b0feedabef99b2c98d01a91ad22aa091c85ca98db29b9d2abb95f2314478c8e3ede
-
C:\Windows\1644371941.exeMD5
a543da3f43f931ca56bea6ac81eb0815
SHA144d3794cad034ea8666d8f60e1c3d6e3e8771ae1
SHA256b7ca36e5ef33a32da7e256d4694738df05a52c72098868e9ab0eecf53b1818dc
SHA512c8fa431bd747dad01637cfa3ae1ce562010f027be2b8fe304ba83571f5ad9b0feedabef99b2c98d01a91ad22aa091c85ca98db29b9d2abb95f2314478c8e3ede
-
C:\Windows\1644371963.exeMD5
502e1937c846f43e90a7864c1e7071be
SHA1dc869347d9d98857b63f8c5984f4287ec3a8f161
SHA256125d09a3fb2bca601e2539cb465205fa66b9e6e20a8caa635c1e2f02628a277a
SHA5124bc9695ae618a69196c2111c6ceea95f1a1563afc7fc66c9116aae813d011ed5fd1a3e582c8413720ccd0ef21c9592429471908d32c2e5a2d452537fda960adc
-
C:\Windows\1644371963.exeMD5
502e1937c846f43e90a7864c1e7071be
SHA1dc869347d9d98857b63f8c5984f4287ec3a8f161
SHA256125d09a3fb2bca601e2539cb465205fa66b9e6e20a8caa635c1e2f02628a277a
SHA5124bc9695ae618a69196c2111c6ceea95f1a1563afc7fc66c9116aae813d011ed5fd1a3e582c8413720ccd0ef21c9592429471908d32c2e5a2d452537fda960adc
-
memory/540-178-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/540-169-0x00000000025C0000-0x00000000025F9000-memory.dmpFilesize
228KB
-
memory/540-168-0x0000000000970000-0x000000000099B000-memory.dmpFilesize
172KB
-
memory/1980-142-0x00007FFB810D3000-0x00007FFB810D5000-memory.dmpFilesize
8KB
-
memory/1980-143-0x0000012444650000-0x0000012444652000-memory.dmpFilesize
8KB
-
memory/1980-144-0x0000012444653000-0x0000012444655000-memory.dmpFilesize
8KB
-
memory/1980-145-0x000001242C530000-0x000001242C552000-memory.dmpFilesize
136KB
-
memory/1980-148-0x0000012444656000-0x0000012444658000-memory.dmpFilesize
8KB
-
memory/1980-159-0x0000012444658000-0x0000012444659000-memory.dmpFilesize
4KB
-
memory/2280-132-0x00000000004F0000-0x0000000001092000-memory.dmpFilesize
11.6MB
-
memory/2280-135-0x00000000004F0000-0x0000000001092000-memory.dmpFilesize
11.6MB
-
memory/2280-133-0x00000000004F0000-0x0000000001092000-memory.dmpFilesize
11.6MB
-
memory/2280-130-0x00000000004F0000-0x0000000001092000-memory.dmpFilesize
11.6MB
-
memory/2280-134-0x00000000004F0000-0x0000000001092000-memory.dmpFilesize
11.6MB
-
memory/2280-131-0x00007FFBA0630000-0x00007FFBA0632000-memory.dmpFilesize
8KB
-
memory/2280-137-0x00000000004F0000-0x0000000001092000-memory.dmpFilesize
11.6MB
-
memory/2280-136-0x00000000004F0000-0x0000000001092000-memory.dmpFilesize
11.6MB
-
memory/3724-156-0x00000215D01D0000-0x00000215D01D2000-memory.dmpFilesize
8KB
-
memory/3724-160-0x00000215D01D8000-0x00000215D01D9000-memory.dmpFilesize
4KB
-
memory/3724-158-0x00000215D01D6000-0x00000215D01D8000-memory.dmpFilesize
8KB
-
memory/3724-157-0x00000215D01D3000-0x00000215D01D5000-memory.dmpFilesize
8KB
-
memory/3724-151-0x00007FFB810D3000-0x00007FFB810D5000-memory.dmpFilesize
8KB
-
memory/3832-170-0x0000000000010000-0x00000000005C7000-memory.dmpFilesize
5.7MB
-
memory/3832-171-0x0000000002700000-0x0000000002741000-memory.dmpFilesize
260KB
-
memory/3832-173-0x0000000000045000-0x0000000000060000-memory.dmpFilesize
108KB
-
memory/3832-172-0x0000000000033000-0x0000000000034000-memory.dmpFilesize
4KB
-
memory/3832-174-0x0000000000010000-0x00000000005C7000-memory.dmpFilesize
5.7MB
-
memory/3832-175-0x000000000023A000-0x000000000058F000-memory.dmpFilesize
3.3MB
-
memory/3832-176-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/3832-177-0x0000000000010000-0x00000000005C7000-memory.dmpFilesize
5.7MB