dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724

General

Target

dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe
Size

383KB
MD5

3331783b0655235d009b962041446fb0
SHA1

ec2f210e22bf953b068e0ecaea53e94cbd3c586c
SHA256

dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724
SHA512

4895962f66bb29609bd901ce15d21d56074a46eb321c21a574075af8cae0d1bbcb38b599ab7f3a99e995572cf41c2e7f649e05538d156b157797ff3266afedc9
SSDEEP

6144:l/d5C3sO9ljjt+MaJWKt9ZmAFofYh3VFcl7zbN5B98I4Hq2HLKNBlB:LO9SMMWKmhYhzcl7zbN5B98I4HrHLeBL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
976	server.exe
840	bdlite.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\stubpath = "C:\\Windows\\winupdate32.exe s"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	server.exe

Loads dropped DLL 4 IoCs

pid	Process
1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe
1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe
1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe
1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winupdate32 = "C:\\Windows\\winupdate32.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdate32 = "C:\\Windows\\winupdate32.exe"	server.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\update32.dat	server.exe
File opened for modification	C:\Windows\winupdate32.exe	server.exe
File created	C:\Windows\winupdate32.exe	server.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
976	server.exe
976	server.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 976	1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe	28
PID 1968 wrote to memory of 976	1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe	28
PID 1968 wrote to memory of 976	1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe	28
PID 1968 wrote to memory of 976	1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe	28
PID 976 wrote to memory of 1404	976	server.exe	13
PID 976 wrote to memory of 1404	976	server.exe	13
PID 976 wrote to memory of 1472	976	server.exe	29
PID 976 wrote to memory of 1472	976	server.exe	29
PID 976 wrote to memory of 1472	976	server.exe	29
PID 976 wrote to memory of 1472	976	server.exe	29
PID 976 wrote to memory of 1472	976	server.exe	29
PID 976 wrote to memory of 1472	976	server.exe	29
PID 976 wrote to memory of 1472	976	server.exe	29
PID 976 wrote to memory of 1472	976	server.exe	29
PID 976 wrote to memory of 1404	976	server.exe	13
PID 976 wrote to memory of 1404	976	server.exe	13
PID 1968 wrote to memory of 840	1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe	30
PID 1968 wrote to memory of 840	1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe	30
PID 1968 wrote to memory of 840	1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe	30
PID 1968 wrote to memory of 840	1968	dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1404
- C:\Users\Admin\AppData\Local\Temp\dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe
  "C:\Users\Admin\AppData\Local\Temp\dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\nb_temp01\server.exe
    "C:\Users\Admin\AppData\Local\Temp\dbb0ba5f542cb4c94c39ae831106c1d4e39de1aca1bfe9e4e8e096ca2b656724.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1472
- - C:\Users\Admin\AppData\Local\Temp\nb_temp01\bdlite.exe
    "C:\Users\Admin\AppData\Local\Temp\\nb_temp01\bdlite.exe"
    3⤵
    - Executes dropped EXE
    PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nb_temp01\bdlite.exe

Filesize
500KB

MD5
edc6f3664a0ee293379340ec50c42857

SHA1
9a135803dd2ed564dcaf9abf9323daa580ec74d3

SHA256
40270f7bd7de51f929bb7ccd04d71437edfaa43148f958cf79ecb17beb01f420

SHA512
1a0202ca3499ca313df3277bb1b59ab491497bc97982c7326124bfb4f8f66b689f9f1f1f6710facff7e728a21bb5d3c12f65be483df6686c68968d93d6423a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nb_temp01\server.exe

Filesize
87KB

MD5
2e0f4b45b7c3e1b3ecbb841a298fba5b

SHA1
fa33c0e9dbaff2bae34b0b99408cf2548b657344

SHA256
015f9527d681a320f2164d2420c7d2084453d1e3bfc10668c2467294c30deaec

SHA512
d9463a8be783b1ac3735c948e3e696f14931cf2e0d7558033415483419bd89dc704ef9314d4627121a5ee7b650217bc029675f51d325cb1a611b601fce4726f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nb_temp01\server.exe

Filesize
87KB

MD5
2e0f4b45b7c3e1b3ecbb841a298fba5b

SHA1
fa33c0e9dbaff2bae34b0b99408cf2548b657344

SHA256
015f9527d681a320f2164d2420c7d2084453d1e3bfc10668c2467294c30deaec

SHA512
d9463a8be783b1ac3735c948e3e696f14931cf2e0d7558033415483419bd89dc704ef9314d4627121a5ee7b650217bc029675f51d325cb1a611b601fce4726f3

Download Submit
\Users\Admin\AppData\Local\Temp\nb_temp01\bdlite.exe

Filesize
500KB

MD5
edc6f3664a0ee293379340ec50c42857

SHA1
9a135803dd2ed564dcaf9abf9323daa580ec74d3

SHA256
40270f7bd7de51f929bb7ccd04d71437edfaa43148f958cf79ecb17beb01f420

SHA512
1a0202ca3499ca313df3277bb1b59ab491497bc97982c7326124bfb4f8f66b689f9f1f1f6710facff7e728a21bb5d3c12f65be483df6686c68968d93d6423a6e

Download Submit
\Users\Admin\AppData\Local\Temp\nb_temp01\bdlite.exe

Filesize
500KB

MD5
edc6f3664a0ee293379340ec50c42857

SHA1
9a135803dd2ed564dcaf9abf9323daa580ec74d3

SHA256
40270f7bd7de51f929bb7ccd04d71437edfaa43148f958cf79ecb17beb01f420

SHA512
1a0202ca3499ca313df3277bb1b59ab491497bc97982c7326124bfb4f8f66b689f9f1f1f6710facff7e728a21bb5d3c12f65be483df6686c68968d93d6423a6e

Download Submit
\Users\Admin\AppData\Local\Temp\nb_temp01\server.exe

Filesize
87KB

MD5
2e0f4b45b7c3e1b3ecbb841a298fba5b

SHA1
fa33c0e9dbaff2bae34b0b99408cf2548b657344

SHA256
015f9527d681a320f2164d2420c7d2084453d1e3bfc10668c2467294c30deaec

SHA512
d9463a8be783b1ac3735c948e3e696f14931cf2e0d7558033415483419bd89dc704ef9314d4627121a5ee7b650217bc029675f51d325cb1a611b601fce4726f3

Download Submit
\Users\Admin\AppData\Local\Temp\nb_temp01\server.exe

Filesize
87KB

MD5
2e0f4b45b7c3e1b3ecbb841a298fba5b

SHA1
fa33c0e9dbaff2bae34b0b99408cf2548b657344

SHA256
015f9527d681a320f2164d2420c7d2084453d1e3bfc10668c2467294c30deaec

SHA512
d9463a8be783b1ac3735c948e3e696f14931cf2e0d7558033415483419bd89dc704ef9314d4627121a5ee7b650217bc029675f51d325cb1a611b601fce4726f3

Download Submit
memory/976-63-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/976-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1968-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1968-61-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/1968-60-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads