bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403

General

Target

bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe
Size

1.3MB
MD5

718d025d6d5acfd8d79ce1aab8867ca1
SHA1

f643592f09ba18a069251c15ee9cd58d0b06c8a9
SHA256

bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403
SHA512

7e2af3de5e8bb2c18a3d4f0029a0c77a124e4bb73d3ec3a1232627955102af9ac86adf2f0ede92b2c66c5bccf10189f0e85f13df153ba2c629599e4c2fb12b63
SSDEEP

24576:4jHTGAgItSObli5bRJzLxUKJKQFxAEE+a+PhsxjqfNT9Jn2IEtKq5l6/G13Op3pW:8TzMGlUbRhtYgx++zh2qfJH1+poOXZ

Score

8^/10

persistence

Malware Config

Signatures

Uses Session Manager for persistence 2 TTPs 1 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a000000	bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows32 = "C:\\windows\\system\\Winiupdate.exe"	bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Menu Iniciar\Iniciar\WindowsUpdate.exe	bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1440	bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe

C:\Users\Admin\AppData\Local\Temp\bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe
"C:\Users\Admin\AppData\Local\Temp\bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe"
1⤵
- Uses Session Manager for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-55-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-54-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-56-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-57-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-58-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-59-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-60-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1440-61-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-62-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-63-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/1440-64-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-65-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-67-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-66-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-68-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-69-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-70-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-71-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-73-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-72-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-75-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-74-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-76-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-77-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-79-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-78-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-81-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-80-0x000000000049C000-0x000000000049E800-memory.dmp

Filesize
10KB

Download
memory/1440-82-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/1440-83-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1440-84-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads