Overview

overview

7

Static

static

7

bc6f6b1e79...67.exe

windows7-x64

7

bc6f6b1e79...67.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 04:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc6f6b1e79077b230c5189cc30136267.exe

  • Size

    677KB

  • MD5

    bc6f6b1e79077b230c5189cc30136267

  • SHA1

    392f800a93e6c8eef39bb2558d9aa1c90551fb7a

  • SHA256

    c0205593654513ad8e334501eaee9c0b114eb6c91973d3f7929b644b0a87966d

  • SHA512

    f51abda84870f41ffdd8e87030bdc79a1c5fae1e5399f004a4c5cc4c51b76d2a9a92c5143a886f0fa36753c27a6e3d048a320f9e537f1852b705cb193e17b53d

  • SSDEEP

    12288:Yb1NwuGkcEah4/auHFkrfQ0VhP9ozLkSRr:YbRpO4/aulKQOo/kSt

Score
7/10
adwarediscoverypersistencestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Registers COM server for autorun 1 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc6f6b1e79077b230c5189cc30136267.exe
    "C:\Users\Admin\AppData\Local\Temp\bc6f6b1e79077b230c5189cc30136267.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c msiexec.exe /x {26A24AE4-039D-4CA4-87B4-2F06417080FF} /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe /x {26A24AE4-039D-4CA4-87B4-2F06417080FF} /quiet /norestart
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
    • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
      "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /uninstall /quiet /norestart
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
        "C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /uninstall /quiet /norestart -burn.unelevated BurnPipe.{990ED895-A80F-4D44-BE61-EAACF445AF4D} {07821BC4-5B85-4CEB-B81B-302D83BFF26B} 1104
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 348
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1044
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 24C791C9A49FD43376A35317188C32B7
      2⤵
      • Loads dropped DLL
      PID:868
    • C:\Windows\Installer\MSI78CC.tmp
      "C:\Windows\Installer\MSI78CC.tmp" C:\Program Files\Java\jre7\;C;2
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Installs/modifies Browser Helper Object
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1352
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1548
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002B8" "00000000000002B4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2008

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Browser Extensions

    1
    T1176

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\6c5959.rbs
      Filesize

      112KB

      MD5

      78dcd0b22cda12d585a84a675320d2e4

      SHA1

      9f8477e8d7eff5ac8feefbe4a55470cb0864623c

      SHA256

      f2622b61afd656f3d958a6a04fd3059c38194aab0d74eaab5e76c07290df92e0

      SHA512

      fec947820cf133fd41b2a211aeeecfb4782251abdaab3c585fceea0aab0b7029412c34659c4375e79e26f732afec488960b6cb72da4bb566cc63827ce4651566

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\java_install_reg.log
      Filesize

      4KB

      MD5

      0be6c0df8bb2be40cc116e44f48318bd

      SHA1

      fa9b1631a4511cbc7b1cebc601d7f17a761972ef

      SHA256

      3caf54a821f97bd1c50ab6eccc6bd4404cf22917e30e214134f27b44d89708b3

      SHA512

      934a529f6c4d7b27fae6edf5da9f44855af3e477e867cc4a8c2172140c699a01c3952441879d068edd05b7a510f67174e5c31755be644d859b945401b2d43c63

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png
      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

      Download Submit
    • C:\Windows\Installer\MSI5E67.tmp
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • C:\Windows\Installer\MSI788D.tmp
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • C:\Windows\Installer\MSI78CC.tmp
      Filesize

      309KB

      MD5

      8b285b5164ac3dbd6f6c97c81c77fb59

      SHA1

      2d846f00f4a1533d93d9f7fcf797cf406b7a79e5

      SHA256

      7c932b844dd505281a0eb1e3cb3c1b27be9ca47866655cc3bfd6ae660d4f6b2c

      SHA512

      2669938f68238a5e68accdd2c3f7dcdbafacd58e00418f32769bd452580e4a4fa0169b001652801ec3ec0ec67f093997a87f1bb80bd83c20cbf1145d3249e2b8

      Download Submit
    • C:\Windows\Installer\MSI79F5.tmp
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • C:\Windows\Installer\MSI79F5.tmp
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • \Program Files\Java\jre7\bin\deploy.dll
      Filesize

      481KB

      MD5

      2b652299b9967a6d7f9c321b04cd9c5b

      SHA1

      f26f9e22a1ba45fc5fd68b975889a1a637781056

      SHA256

      26b9a76128153429f3f5d668b134fe3c14b8b8430ae0e671191033bdda296097

      SHA512

      4e0bd2a70b6f82eb2ab80d5992d65455defb3b38021231e3d7cafa63e82634661bf9aa9eaee3b3e26d03c60fdc6666a59bdeee8c0bab0ef12740de6727366c2b

      Download Submit
    • \Program Files\Java\jre7\bin\installer.dll
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • \Program Files\Java\jre7\bin\installer.dll
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • \Program Files\Java\jre7\bin\installer.dll
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • \Program Files\Java\jre7\bin\installer.dll
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • \Program Files\Java\jre7\bin\wsdetect.dll
      Filesize

      187KB

      MD5

      a06336b79db4da78f4af955e26f7c0c6

      SHA1

      3c24fb0f8bf38999ccffc75a0f5710878bc40fc1

      SHA256

      2d96fc7ddb77288f05b78340cf6ac85dd604a2e5d53d6fcb825eead1a9b008d8

      SHA512

      c664e9259db49075cedd933f64ab4247384a117c5be609958e440a44cf2bfba13a10ade36f7c8bcacdec063c3ca63b3c70c5392e5b7d2ea02fd5be06a62c180a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll
      Filesize

      126KB

      MD5

      d7bf29763354eda154aad637017b5483

      SHA1

      dfa7d296bfeecde738ef4708aaabfebec6bc1e48

      SHA256

      7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

      SHA512

      1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

      Download Submit
    • \Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll
      Filesize

      126KB

      MD5

      d7bf29763354eda154aad637017b5483

      SHA1

      dfa7d296bfeecde738ef4708aaabfebec6bc1e48

      SHA256

      7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

      SHA512

      1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

      Download Submit
    • \Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll
      Filesize

      126KB

      MD5

      d7bf29763354eda154aad637017b5483

      SHA1

      dfa7d296bfeecde738ef4708aaabfebec6bc1e48

      SHA256

      7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

      SHA512

      1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

      Download Submit
    • \Windows\Installer\MSI5E67.tmp
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • \Windows\Installer\MSI788D.tmp
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • \Windows\Installer\MSI78CC.tmp
      Filesize

      309KB

      MD5

      8b285b5164ac3dbd6f6c97c81c77fb59

      SHA1

      2d846f00f4a1533d93d9f7fcf797cf406b7a79e5

      SHA256

      7c932b844dd505281a0eb1e3cb3c1b27be9ca47866655cc3bfd6ae660d4f6b2c

      SHA512

      2669938f68238a5e68accdd2c3f7dcdbafacd58e00418f32769bd452580e4a4fa0169b001652801ec3ec0ec67f093997a87f1bb80bd83c20cbf1145d3249e2b8

      Download Submit
    • \Windows\Installer\MSI79F5.tmp
      Filesize

      235KB

      MD5

      16cae7c3dce97c9ab1c1519383109141

      SHA1

      10e29384e2df609caea7a3ce9f63724b1c248479

      SHA256

      8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

      SHA512

      5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

      Download Submit
    • memory/1468-58-0x0000000004690000-0x0000000004691000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1468-57-0x00000000002F0000-0x000000000045E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1468-54-0x00000000002F0000-0x000000000045E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1468-130-0x00000000002F0000-0x000000000045E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1468-56-0x00000000002F0000-0x000000000045E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1468-55-0x00000000002F0000-0x000000000045E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1468-148-0x00000000002F0000-0x000000000045E000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1468-64-0x0000000004690000-0x0000000004691000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1468-59-0x00000000002F0000-0x000000000045E000-memory.dmp
      Filesize

      1.4MB

      Download