6343971168f0284d80215dd798cc972019f87980382c1a579e18ba6d96beda5a

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/03/2023, 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BB05.exe
Size

2.7MB
MD5

a9f9e49761e839de242b24de7486efaf
SHA1

a1911f8b0cda710df3989d7e2a49332d7eef70c7
SHA256

6343971168f0284d80215dd798cc972019f87980382c1a579e18ba6d96beda5a
SHA512

36dd2359a7e6792a9dd3ac5fd0027277521b116be45866867b70ed1b46a297b2e56681f01302fb9097bf9f7d3399559a2f73bb082118e320743a5b0f1002203d
SSDEEP

49152:FfJ3MKcI6NXC3neozsSW870/PdqeiUz3rF8tHHeFGrNkegiMjM:FR3MKKNy3Vzw3dtprOHH3pMiX

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1736	BB05.exe
1736	BB05.exe
1736	BB05.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ThreadingModel = "Apartment"	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ThreadingModel = "Apartment"	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ThreadingModel = "Apartment"	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	BB05.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BBSee\skinScreen\pop_bg.png	BB05.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\CabPack.dll	BB05.exe
File created	C:\Program Files (x86)\BBSee\BbCatchbases1.dll	BB05.exe
File created	C:\Program Files (x86)\BBSee\BbSeePic.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\next.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\slt_bg.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\close.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\icon_bg.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\shadow_l.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\shadow_r.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\reduction.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\arrow.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\color.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\return.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\finish.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\shadow.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Sidebar\cw.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Sidebar\line2.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\big.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\BbCatchbase.dll	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\top.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\size_bg.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\shadow_d.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\view_next.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\ckqlogo-20.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\cut.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Sidebar\print.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\close.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\sky.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\round.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\see_config	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Viewer\close_bg48.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\Expand.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\view_back.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\font.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\uninst.exe	BB05.exe
File created	C:\Program Files (x86)\BBSee\BbSeePic.exe	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Xspicsee.ini	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\b-g.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\bg.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Sidebar\bin.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Viewer\X.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Sidebar\ccw.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\Print.png	BB05.exe
File created	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\back.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\select.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\min.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\back.JPG	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\bg-icon.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\Expand.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\set.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\save222.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\BbScreen.exe	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Sidebar\monitor.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\max.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\mid.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\rectangle.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\zoomin.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\zoomout.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\pen.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinScreen\save.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\FullScreen\rateBg.png	BB05.exe
File created	C:\Program Files (x86)\BBSee\skinConfig\Default\Top\open.png	BB05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx\ = "{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}"	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}	BB05.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}	BB05.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0A5268-19D0-6B68-44AE-0C2D715FB6EB}	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	BB05.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\CLSID	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1A0A5268-19D0-6B68-44AE-0C2D715FB6EB}"	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ThreadingModel = "Apartment"	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\CabPack.dll"	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ThreadingModel = "Apartment"	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E0A5268-19D0-6B68-44AE-0C2D715FB6EB}	BB05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32	BB05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A0A5268-19D0-6B68-44AE-0C2D715FB6EB}\InProcServer32\ThreadingModel = "Apartment"	BB05.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1736	BB05.exe
1736	BB05.exe
1736	BB05.exe
1736	BB05.exe
1736	BB05.exe
1736	BB05.exe
1736	BB05.exe
1736	BB05.exe
1736	BB05.exe
1736	BB05.exe

C:\Users\Admin\AppData\Local\Temp\BB05.exe
"C:\Users\Admin\AppData\Local\Temp\BB05.exe"
1⤵
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd282.tmp\Checker.dll

Filesize
41KB

MD5
0dd6cd859d43c1f2e5f6f581792ad290

SHA1
c9f0400201d7460ea2695fe1771d3bd96245e1b6

SHA256
4775716c1cb2f2712996e320688a01fec0620b921fc767361e72a3781e0cd4c7

SHA512
0881afd9849c5900988e9e8915604aad1419c8c03d40364b588059b3b527b5249047fe02cdf6ae9db445ae03415682260321bde79734e6d0c1baf6ee40fb9131

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd282.tmp\Zip.dll

Filesize
79KB

MD5
1d18144fc0ef624a1d8697fbfa7ee234

SHA1
766666e8db7d1f84f59d9ab5c37106403d99e5ad

SHA256
5e1e9bbc108d6877ac2f9782a6bef84fa47706ec367565f26dcf7efe3d9bc350

SHA512
1af9140ae67f5e58108f62825f3fe03399ad030ac140b7aafafa5aadce734e27120bb5f16ddf83d644f85b8959fc4e2569bf3c73286141fda0d0f4a98b4199fa

Download Submit
\Program Files (x86)\BBSee\BbSeePic.exe

Filesize
2.0MB

MD5
48db556edb8161dd644e0600dad377ab

SHA1
91bb98052200799fb68b8b81554fafd3132edcfc

SHA256
3d26db66818da9db470245c1de68d1af1139f956d1b92bac7821b47a2a9dda21

SHA512
f83a91ac048d7fdad924a2618294079d36351672a320e73a3d960bab07646c2ce15a006745d203fe60d2434d671e72e5b0bd0be83c11b442783b60c8f4373846

Download Submit
\Users\Admin\AppData\Local\Temp\nsd282.tmp\Checker.dll

Filesize
41KB

MD5
0dd6cd859d43c1f2e5f6f581792ad290

SHA1
c9f0400201d7460ea2695fe1771d3bd96245e1b6

SHA256
4775716c1cb2f2712996e320688a01fec0620b921fc767361e72a3781e0cd4c7

SHA512
0881afd9849c5900988e9e8915604aad1419c8c03d40364b588059b3b527b5249047fe02cdf6ae9db445ae03415682260321bde79734e6d0c1baf6ee40fb9131

Download Submit
\Users\Admin\AppData\Local\Temp\nsd282.tmp\Zip.dll

Filesize
79KB

MD5
1d18144fc0ef624a1d8697fbfa7ee234

SHA1
766666e8db7d1f84f59d9ab5c37106403d99e5ad

SHA256
5e1e9bbc108d6877ac2f9782a6bef84fa47706ec367565f26dcf7efe3d9bc350

SHA512
1af9140ae67f5e58108f62825f3fe03399ad030ac140b7aafafa5aadce734e27120bb5f16ddf83d644f85b8959fc4e2569bf3c73286141fda0d0f4a98b4199fa

Download Submit
memory/1736-67-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1736-71-0x0000000000780000-0x000000000079B000-memory.dmp

Filesize
108KB

Download
memory/1736-75-0x0000000003E70000-0x0000000004A83000-memory.dmp

Filesize
12.1MB

Download
memory/1736-79-0x00000000007A0000-0x00000000007D8000-memory.dmp

Filesize
224KB

Download
memory/1736-83-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download