Overview

overview

8

Static

static

bcf58dbad0...26.exe

windows7-x64

8

bcf58dbad0...26.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcf58dbad0164dfe3d68c3245ad32fbd0ae8b6fb25ded022043058704ebba226.exe

  • Size

    246KB

  • MD5

    0eaefb76467326dcfff1af882dacbcd3

  • SHA1

    e633d05498e96382abfe71d60fb4653125b9f68f

  • SHA256

    bcf58dbad0164dfe3d68c3245ad32fbd0ae8b6fb25ded022043058704ebba226

  • SHA512

    98afc7a95c966c4ebb34f070b7e274730aa32140be1abd1b9c8a73ebb21ccd939d6b172f46f655f0dcd112e973c57d9348071aff83f057c3e2327d9f5f38b20e

  • SSDEEP

    6144:jzCmXWWm1Ws3iNkBlONWtHk1y+1y/0wLbihbwz8sec:j2mXbm1D3fHONw8fy/0QOr3c

Score
8/10
persistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcf58dbad0164dfe3d68c3245ad32fbd0ae8b6fb25ded022043058704ebba226.exe
    "C:\Users\Admin\AppData\Local\Temp\bcf58dbad0164dfe3d68c3245ad32fbd0ae8b6fb25ded022043058704ebba226.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Users\Admin\AppData\Local\Temp\~ZBHXCXSF.tmp
      "C:\Users\Admin\AppData\Local\Temp\~ZBHXCXSF.tmp"
      2⤵
      • Executes dropped EXE
      PID:612
    • C:\Users\Admin\AppData\Local\Temp\~ZBHXCXSF.tmp.dll
      "C:\Users\Admin\AppData\Local\Temp\~ZBHXCXSF.tmp.dll"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" stop "Symantec AntiVirus Client"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Symantec AntiVirus Client"
          4⤵
            PID:3732
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "Symantec AntiVirus Server"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Symantec AntiVirus Server"
            4⤵
              PID:2380
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "Rising Realtime Monitor Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2636
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Rising Realtime Monitor Service"
              4⤵
                PID:4908
            • C:\Windows\Exploier.exe
              "C:\Windows\Exploier.exe"
              3⤵
              • Executes dropped EXE
              • Enumerates connected drives
              • Drops file in System32 directory
              PID:4080
            • C:\Windows\SysWOW64\iexplorer.exe
              "C:\Windows\System32\iexplorer.exe"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • Suspicious use of SetWindowsHookEx
              PID:4840
        • C:\Windows\system32\WerFault.exe
          "C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20221210-0227.dmp
          1⤵
            PID:724

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\~ZBHXCXSF.tmp
            Filesize

            41KB

            MD5

            587a5bb112b1915a679e030ef409863d

            SHA1

            2f9a0c98349a3d92a2847d5e6b971703338f50ef

            SHA256

            50deca5f8a6b128fca150757253493d53778a17cbf32774bbedebab3a93f7d61

            SHA512

            2d71c39b2da0dc12ce212f519eb5b685e2e9cd73d8891d2eb50e2bdb37320f068a1f0c676eb4eda9f16837456a60f97551ffd75463531c0df85edc6badb1eb2d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~ZBHXCXSF.tmp
            Filesize

            41KB

            MD5

            587a5bb112b1915a679e030ef409863d

            SHA1

            2f9a0c98349a3d92a2847d5e6b971703338f50ef

            SHA256

            50deca5f8a6b128fca150757253493d53778a17cbf32774bbedebab3a93f7d61

            SHA512

            2d71c39b2da0dc12ce212f519eb5b685e2e9cd73d8891d2eb50e2bdb37320f068a1f0c676eb4eda9f16837456a60f97551ffd75463531c0df85edc6badb1eb2d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~ZBHXCXSF.tmp.dll
            Filesize

            149KB

            MD5

            14c8ede40aee9c6e0540d6f5433185a3

            SHA1

            4f1539454953fda3640a8733827118b563c7b541

            SHA256

            7679e7d848391db4e01c69ddaf39879f4fb2c0c6369d88c79609fdecd2343544

            SHA512

            57e08298c031a13987bbcb8b3bfc29e79525b1b3386be5a8e71dd7b75193134271d82c9b385fb5a9210caa3d00303729a500093bd0993ec2f277de716736ca88

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~ZBHXCXSF.tmp.dll
            Filesize

            149KB

            MD5

            14c8ede40aee9c6e0540d6f5433185a3

            SHA1

            4f1539454953fda3640a8733827118b563c7b541

            SHA256

            7679e7d848391db4e01c69ddaf39879f4fb2c0c6369d88c79609fdecd2343544

            SHA512

            57e08298c031a13987bbcb8b3bfc29e79525b1b3386be5a8e71dd7b75193134271d82c9b385fb5a9210caa3d00303729a500093bd0993ec2f277de716736ca88

            Download Submit

          • C:\Windows\Exploier.exe
            Filesize

            56KB

            MD5

            60d283ef18a82fe999f24844b86944ab

            SHA1

            7aac231e88a2d85a3e49537fed639714e43eaea6

            SHA256

            72de2ef48c4b1231f6426b2a54ade0caaf849c111bddc57cc4e604afa2d7d354

            SHA512

            e189cd2ef75b1a0416024a63a8027c77a7a61c0a52d7a91b0b7e01c0c96b98501e28063e555243cf5dc20a5e11d7e7c4ac7ec6d48748552857845aff15160994

            Download Submit

          • C:\Windows\Exploier.exe
            Filesize

            56KB

            MD5

            60d283ef18a82fe999f24844b86944ab

            SHA1

            7aac231e88a2d85a3e49537fed639714e43eaea6

            SHA256

            72de2ef48c4b1231f6426b2a54ade0caaf849c111bddc57cc4e604afa2d7d354

            SHA512

            e189cd2ef75b1a0416024a63a8027c77a7a61c0a52d7a91b0b7e01c0c96b98501e28063e555243cf5dc20a5e11d7e7c4ac7ec6d48748552857845aff15160994

            Download Submit

          • C:\Windows\SysWOW64\iexplorer.exe
            Filesize

            60KB

            MD5

            068ab7aff165eaf4a6b5d1f5efc5779d

            SHA1

            73a804514776dfd459eeff5fe00a0d6fab0af268

            SHA256

            c0c8e4b525a79261a08fe87507f0c0e3bbe4b8f5e78c9a8d4b26bba4077d2708

            SHA512

            6053cd554427ebef13a7d405309b9ce3d675d81e389632e80b28bac7b0e1e7dc1913fee8dcfbc624ed091d62eeab51ad41d9124463548be9d32b8d33911b50ee

            Download Submit

          • C:\Windows\SysWOW64\iexplorer.exe
            Filesize

            60KB

            MD5

            068ab7aff165eaf4a6b5d1f5efc5779d

            SHA1

            73a804514776dfd459eeff5fe00a0d6fab0af268

            SHA256

            c0c8e4b525a79261a08fe87507f0c0e3bbe4b8f5e78c9a8d4b26bba4077d2708

            SHA512

            6053cd554427ebef13a7d405309b9ce3d675d81e389632e80b28bac7b0e1e7dc1913fee8dcfbc624ed091d62eeab51ad41d9124463548be9d32b8d33911b50ee

            Download Submit

          • C:\Windows\SysWOW64\kernel66.dll
            Filesize

            149KB

            MD5

            14c8ede40aee9c6e0540d6f5433185a3

            SHA1

            4f1539454953fda3640a8733827118b563c7b541

            SHA256

            7679e7d848391db4e01c69ddaf39879f4fb2c0c6369d88c79609fdecd2343544

            SHA512

            57e08298c031a13987bbcb8b3bfc29e79525b1b3386be5a8e71dd7b75193134271d82c9b385fb5a9210caa3d00303729a500093bd0993ec2f277de716736ca88

            Download Submit

          • memory/2744-138-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2744-152-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download