Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07/12/2022, 02:34
Static task
static1
Behavioral task
behavioral1
Sample
d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe
Resource
win7-20220901-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe
-
Size
12KB
-
MD5
a29a16d6b04433a6656d2bfba53bc35e
-
SHA1
b2f78f56ba44db59a826e4365344f941fd593866
-
SHA256
d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7
-
SHA512
53de804d64b46b882e7d9a9a4bc27207a37474bdcd1ee3105b199d5ec769336867b6342836146641f47e83df638d54020919c35fca23517c8d5b8581a86eae3c
-
SSDEEP
384:2mJAPb4u1Di00w+Q0Q40Xbs1q69Fi3JlxBk:2mqbDUw+T6wR9Fi
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys Mbcwder.exe -
Executes dropped EXE 1 IoCs
pid Process 1704 Mbcwder.exe -
Deletes itself 1 IoCs
pid Process 1680 cmd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mbcwder.exe d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe File opened for modification C:\Windows\SysWOW64\Mbcwder.exe d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Mbcwder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Mbcwder.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1464 d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe 1464 d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe 1704 Mbcwder.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1464 d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1464 wrote to memory of 1680 1464 d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe 27 PID 1464 wrote to memory of 1680 1464 d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe 27 PID 1464 wrote to memory of 1680 1464 d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe 27 PID 1464 wrote to memory of 1680 1464 d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe"C:\Users\Admin\AppData\Local\Temp\d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D489E3~1.EXE > nul2⤵
- Deletes itself
PID:1680
-
-
C:\Windows\SysWOW64\Mbcwder.exeC:\Windows\SysWOW64\Mbcwder.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5a29a16d6b04433a6656d2bfba53bc35e
SHA1b2f78f56ba44db59a826e4365344f941fd593866
SHA256d489e331692e5d6813d0ffe12a8bc919324ffa57e83283569c9e22271cd75dc7
SHA51253de804d64b46b882e7d9a9a4bc27207a37474bdcd1ee3105b199d5ec769336867b6342836146641f47e83df638d54020919c35fca23517c8d5b8581a86eae3c