Overview

overview

8

Static

static

1

bart.exe

windows7-x64

8

bart.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2023, 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bart.exe

  • Size

    776KB

  • MD5

    6a39f57725bccd075545b72a5205f6ce

  • SHA1

    2e2d88fe68bca68136996441afa1065a423007b1

  • SHA256

    02aeec3b3700be483dbe07a20959c39e57b9281680aad00a7683a130bf3a01a2

  • SHA512

    7d41a384cfb789b133371fb140c9ea1602119f0e4ad012fa7e0f225052ce56e29b05b14f55d829c69c4e632cc0e869e7b27e22dcc48d63f5d7ad38279fb06ed8

  • SSDEEP

    12288:db30Nt8NiLXRb4qJ5QIfDCw4v9QJglmIUeTs0k0XA3ncLHH:db30NWirw50c7H

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\bart.exe
      "C:\Users\Admin\AppData\Local\Temp\bart.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Users\Admin\AppData\Local\Temp\bart.exe
        "C:\Users\Admin\AppData\Local\Temp\bart.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1196
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1684

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\hba0htf.zip
      Filesize

      422KB

      MD5

      82949903c2fb1a5eda9181b96800a472

      SHA1

      b1796bd0c2e7eaed79d1cd8d5dd90e02d491b43d

      SHA256

      21ebd12c1aa68aa18f4bfdd7ae30d6d321747ee9d91e1d07926d11f2ae84a101

      SHA512

      c12c980a6778a27f0f9f4266dd8432d5d3f12f3c2a8fa7f760381b3b37c662b71d39274c642e121b78542064e6c9cea48217f808b4ab6a087eb15c27fa02e704

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      807KB

      MD5

      16a1612789dc9063ebea1cb55433b45b

      SHA1

      438fde2939bbb9b5b437f64f21c316c17ce4a7f6

      SHA256

      6deaec2f96c8a1c20698a93ddd468d5447b55ac426dc381eef5d91b19953bb7b

      SHA512

      d727ce8cd793c09a8688accb7a2eb5d8f84cc198b8e9d51c21e2dfb11d850f3ac64a58d07ff7fe9d1a2fdb613567e4790866c08a423176216ff310bf24a5a7e3

      Download Submit

    • memory/1184-84-0x0000000006340000-0x00000000063D3000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1184-80-0x0000000006340000-0x00000000063D3000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1184-73-0x0000000004A30000-0x0000000004B03000-memory.dmp

      Filesize

      844KB

      Download

    • memory/1196-68-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1196-72-0x0000000000090000-0x00000000000A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1196-71-0x00000000008B0000-0x0000000000BB3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1196-62-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1196-63-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1196-64-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1196-69-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1292-77-0x00000000000D0000-0x00000000000FD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1292-75-0x0000000000900000-0x0000000000914000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1292-128-0x0000000061E00000-0x0000000061EB6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/1292-124-0x0000000061E00000-0x0000000061EB6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/1292-82-0x0000000001FA0000-0x000000000202F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1292-79-0x0000000002110000-0x0000000002413000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1292-78-0x0000000000900000-0x0000000000914000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1292-74-0x0000000000900000-0x0000000000914000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1968-60-0x0000000000560000-0x000000000057A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1968-54-0x0000000000BE0000-0x0000000000CA8000-memory.dmp

      Filesize

      800KB

      Download

    • memory/1968-59-0x0000000004620000-0x0000000004660000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1968-67-0x0000000004620000-0x0000000004660000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1968-58-0x0000000004620000-0x0000000004660000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1968-61-0x00000000005C0000-0x00000000005C6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1968-57-0x0000000000540000-0x0000000000558000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1968-56-0x0000000002190000-0x00000000021DA000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1968-55-0x0000000004620000-0x0000000004660000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1968-65-0x0000000004620000-0x0000000004660000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1968-66-0x0000000004620000-0x0000000004660000-memory.dmp

      Filesize

      256KB

      Download