Analysis
-
max time kernel
138s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2023, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe
Resource
win10v2004-20230220-en
General
-
Target
bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe
-
Size
287KB
-
MD5
117d45a1a70dba08bd9f49c581717d62
-
SHA1
5d9f304c36677dbc50e225c53ed2daef0718f4bf
-
SHA256
bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350
-
SHA512
fc99cd865b933c5bba311cef2b1a71cbc4e6867c45cc4d6daaec751117b0335fde103253d354d49d99e336badfc97ae6dea6028a9e6d751bfef1261e7bc2aae1
-
SSDEEP
6144:2icFyL6SgUo3Mv97fqEJHvbR02vN79QD8CchMehu:pP6I9TPPbRFV9UeY
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe -
Executes dropped EXE 1 IoCs
pid Process 4484 Windows8.exe -
Loads dropped DLL 4 IoCs
pid Process 2260 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 2260 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 4484 Windows8.exe 4484 Windows8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows 8 updated = "C:\\Users\\Admin\\Documents\\Windows8.exe" bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4644 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2260 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 4644 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2260 set thread context of 4644 2260 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Documents\Documents:ApplicationData bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2444 powershell.exe 2444 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2260 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2444 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2260 wrote to memory of 4644 2260 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 87 PID 2260 wrote to memory of 4644 2260 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 87 PID 2260 wrote to memory of 4644 2260 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 87 PID 2260 wrote to memory of 4644 2260 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 87 PID 4644 wrote to memory of 2444 4644 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 88 PID 4644 wrote to memory of 2444 4644 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 88 PID 4644 wrote to memory of 2444 4644 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 88 PID 4644 wrote to memory of 4484 4644 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 90 PID 4644 wrote to memory of 4484 4644 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 90 PID 4644 wrote to memory of 4484 4644 bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe"C:\Users\Admin\AppData\Local\Temp\bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe"C:\Users\Admin\AppData\Local\Temp\bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350.exe"2⤵
- Checks QEMU agent file
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Users\Admin\Documents\Windows8.exe"C:\Users\Admin\Documents\Windows8.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4484
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
231KB
MD5b7707f515faeda4bda4ccba71479e293
SHA1ec6d7c807f5ba644e0a9112d3973832fc21ec115
SHA256ecb66f9e1a26fe15a8cee7d6f7685296b5682bc3ecc669424220eddce3307f4f
SHA512923c9ad735a18b02edd8652d18d15026248223179dba392c1cb120b5ba5b55341cca1c924c4dc9930db2a3b1ece48676dfb93937e6363fe542b36e910111efdd
-
C:\Users\Admin\AppData\Roaming\Photolabeller\Byzantinize\Vandlbsforureninger\Straffesagens\Felttegns\Adsbud\Investeringsskemaers\Snvrende.Qua
Filesize95KB
MD5e9b13226a5189842b0cf59c26096c490
SHA1aaff3150ed875bc9344c7bed273796a6aca28add
SHA256ae00e6e9278fdef85c9c4f0872ecf031e9c25763725b44f444f28625f61893ae
SHA51220b73a588c45ce000b9625dfeed7e2cdc08fdfbd4cac2c8d6a18514a633e30ddc7ef88bb693a0d5bfa3089a135d517b22a4642ea2bbd5bc84905a490f1974766
-
Filesize
287KB
MD5117d45a1a70dba08bd9f49c581717d62
SHA15d9f304c36677dbc50e225c53ed2daef0718f4bf
SHA256bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350
SHA512fc99cd865b933c5bba311cef2b1a71cbc4e6867c45cc4d6daaec751117b0335fde103253d354d49d99e336badfc97ae6dea6028a9e6d751bfef1261e7bc2aae1
-
Filesize
287KB
MD5117d45a1a70dba08bd9f49c581717d62
SHA15d9f304c36677dbc50e225c53ed2daef0718f4bf
SHA256bc7dad4c86fbdbe3bc632b5aa8c75b3719ec38aa70ec63bb55845752efd01350
SHA512fc99cd865b933c5bba311cef2b1a71cbc4e6867c45cc4d6daaec751117b0335fde103253d354d49d99e336badfc97ae6dea6028a9e6d751bfef1261e7bc2aae1