Overview

overview

10

Static

static

bc77d4e07c...bb.exe

windows7-x64

10

bc77d4e07c...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb.exe

  • Size

    855KB

  • MD5

    4425b45b99f2bfd386e81e3283f6bae7

  • SHA1

    79d666ce93787e344ed1599c012f5484d4c71b31

  • SHA256

    bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb

  • SHA512

    df2fc221f4946bd517c3f3c6b00d74bbba871909b82eb374ce27350857bcf752c333cdb85f615df231ea2f68028dca4be520db3e88a5102a937f3662e160d1b0

  • SSDEEP

    1536:ybcbXVDMo9fgw5Y0ZlUmp/xLVQ8GW9AWPdApTbJ7mLcaQ9yrKYcU:yWMot5Y0Z2enQ8G0AVpTTaOyrv

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb.exe
    "C:\Users\Admin\AppData\Local\Temp\bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb.exe
      C:\Users\Admin\AppData\Local\Temp\bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Users\Admin\E696D64614\winlogon.exe
          C:\Users\Admin\E696D64614\winlogon.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1184
          • C:\Users\Admin\E696D64614\winlogon.exe
            "C:\Users\Admin\E696D64614\winlogon.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:4656
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2812
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3760
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3816
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3816 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2912

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        2KB

        MD5

        38a9ee40b61155284982e2fa94ecabb8

        SHA1

        48847436aebb7737c0ffb7a1c7890b97277372ec

        SHA256

        39dfe13c61cf08b31abb081fb69a84fd106d9dce588d98bcda717b361403f3a5

        SHA512

        1ba66cc021295bd0d08b5882b41e48b68c5091de41d6e451f48c291ef4e837e8783ac36af6cc08fc4efe382cb8563358a48939a5902d5ad6ff69bbd9bc71a553

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
        Filesize

        1KB

        MD5

        75d74db32c0f9bc6de90f871bb1a8317

        SHA1

        b4d9c00fa54d1c94445d2825df0722b8fe67aada

        SHA256

        e34681d36a61e2300692ddd9ecc97e99e68e51f8b250ea45d00cb0a273de76ed

        SHA512

        a62f41f43a9ec02d81988dd216cd0926a30c304b584373a2b5c47d394ab02d8806c3c5ea6247bde9537c0c82026216c4910b7ec591a8a8cbf5c3cde694874324

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        e32d02ce684c01ef3af05fae9066160e

        SHA1

        29c7a6e8ed553ac2765634265d1db041d6d422ec

        SHA256

        b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

        SHA512

        e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        1KB

        MD5

        23c896e3fc14b0352780bf8710ebd27a

        SHA1

        f80cbc14c2447f02c067cc2c126e105b552d472b

        SHA256

        df2d1a8ad65c48cb714d0157f4e14c374e45493c7e2ed1a03911f558055108c0

        SHA512

        230372de75058a3b6456b1f44efc95695a85d7317fc6e2575a8772af900a08e059aa8a5397a37e1231ffa6bb2e8a2684bc2e6a35cba500818a417387c915908e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F
        Filesize

        472B

        MD5

        a23d14e29a03340350eedf7deeb335be

        SHA1

        34645a7b8af30e7e80820ccf7d3e12ae2c562c81

        SHA256

        10aac9bb1946b24c335f10fbe1c0a83c10ed95a6503d97a5eb510107214741e5

        SHA512

        2f394afca265d53db58c360dae75e2993e0cd1a5598a5b8a34a95e09d1c2e7d138c15f18fa7e7ef957e90d50f4dd4024e2dc22afd8e39aca9cffefd9bb14f98c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
        Filesize

        488B

        MD5

        daa2115ecaf4947fe602c35065d8cc54

        SHA1

        4ec7822748ffad0157f16af165c94663e5c8df7b

        SHA256

        0970f663a7ef2895c3d6730275e046d27975a27d4418e92be13628998dc5dedd

        SHA512

        c6ab90a382f1777d0674f9e0136b9c2a3675dfcc2cd01e769db8b3f408b63cd930e10db8ca55be42a11791d5292548126dc30e13f415da78551044987333bc05

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
        Filesize

        446B

        MD5

        dd4a324a3aa5c6ad878659f3e3cfecda

        SHA1

        f522f5ba6c3f9174a87e279b5e178701d5975d3c

        SHA256

        736cc9d4c93f6aecc23fdf887b37c6945eb3d01a8e70470ed3448bfedb42ef99

        SHA512

        e288b0575427a3ec9f6bcc9290b65d221cd04a52a1d79ce3647ace256a76472ec4f3729bf628e5edf2d93fea5d24679e28b1d11531ad7de09f3814a0d28ba3a6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        b2e1ae0ff85d67868f30eef9200d2c87

        SHA1

        24a9d205faf3d9586752c6f60eee9247258ca7e9

        SHA256

        ca02ea5cd521f8d7e09e362da6bd5786c3e76ea0a22f8e326b074bfeaac2c7c8

        SHA512

        3b4150eef373df4a2c8961f841c54de3459612daf2804a58db5da03a99d4764d93222085e62c18fdba481a6558a9d9a783cb3dbb0d43678df59160e784d9cf5a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
        Filesize

        482B

        MD5

        f327d66edf7d02ba9388c84a40aa9d02

        SHA1

        42b1a06cf0001265cbfd0ab901957542edb0411a

        SHA256

        e313554617ded93cd217e81b12b14bf65b7eee3e356688dc7af36492d4a56f78

        SHA512

        ebeb224ffb8c7fb153fefa91e44d66edaadfbbff0f05a7d83c057f5572f46d9b4b2d69400623c6f4481ed8b039c095f38ab7c985c07d4f9fed0f6d559b5680ae

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F
        Filesize

        480B

        MD5

        daf8979ae16cca789fbd8ac6d0e4857e

        SHA1

        9dbe411be73fc38b8c2f19f691ce129a6f9854a0

        SHA256

        cb561943ab36395de36e0e7cad9714ff7a2af7d7c24a975204086a3e9715731b

        SHA512

        ccdcc2651c537e0caa17b7b090579f0d73d6af80e40df1bbbf4e404f983619cfe7fdaa776eb0265781162f47899fa879537b745152f5f09954ed188e0b29e701

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        855KB

        MD5

        4425b45b99f2bfd386e81e3283f6bae7

        SHA1

        79d666ce93787e344ed1599c012f5484d4c71b31

        SHA256

        bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb

        SHA512

        df2fc221f4946bd517c3f3c6b00d74bbba871909b82eb374ce27350857bcf752c333cdb85f615df231ea2f68028dca4be520db3e88a5102a937f3662e160d1b0

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        855KB

        MD5

        4425b45b99f2bfd386e81e3283f6bae7

        SHA1

        79d666ce93787e344ed1599c012f5484d4c71b31

        SHA256

        bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb

        SHA512

        df2fc221f4946bd517c3f3c6b00d74bbba871909b82eb374ce27350857bcf752c333cdb85f615df231ea2f68028dca4be520db3e88a5102a937f3662e160d1b0

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        855KB

        MD5

        4425b45b99f2bfd386e81e3283f6bae7

        SHA1

        79d666ce93787e344ed1599c012f5484d4c71b31

        SHA256

        bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb

        SHA512

        df2fc221f4946bd517c3f3c6b00d74bbba871909b82eb374ce27350857bcf752c333cdb85f615df231ea2f68028dca4be520db3e88a5102a937f3662e160d1b0

        Download Submit

      • C:\Users\Admin\E696D64614\winlogon.exe
        Filesize

        855KB

        MD5

        4425b45b99f2bfd386e81e3283f6bae7

        SHA1

        79d666ce93787e344ed1599c012f5484d4c71b31

        SHA256

        bc77d4e07ccb007aab4860cee151a1e34d8dc77a31c09ffb639983927d22d0bb

        SHA512

        df2fc221f4946bd517c3f3c6b00d74bbba871909b82eb374ce27350857bcf752c333cdb85f615df231ea2f68028dca4be520db3e88a5102a937f3662e160d1b0

        Download Submit

      • memory/1184-151-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1184-167-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1184-142-0x0000000000000000-mapping.dmp

        Download

      • memory/1972-139-0x0000000000000000-mapping.dmp

        Download

      • memory/4016-147-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4016-135-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4016-136-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4016-133-0x0000000000400000-0x000000000041A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4016-132-0x0000000000000000-mapping.dmp

        Download

      • memory/4656-166-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4656-152-0x0000000000000000-mapping.dmp

        Download

      • memory/4656-153-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4656-156-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4656-168-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4656-157-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download