b7ea0e724c8e17732eceedf7e497416e2c7a3a91ab9c2b200de3f180a9cca24d

General

Target

BSSAClientSetup7.exe
Size

14.4MB
MD5

ee91d6b6497a5f7cf87435e00687d956
SHA1

71b172e94b84224a81b2b469b86fff81af08559e
SHA256

b7ea0e724c8e17732eceedf7e497416e2c7a3a91ab9c2b200de3f180a9cca24d
SHA512

efbd5d666efce148fed103b7781c207bda23bb4bb4995fad462ac78371a280d17921125de9c8294790ec0b03a129e1c3bdc17acfa9e4e9c106f6fd794801b178
SSDEEP

393216:YHfz9Zd79AL4eWbJHLiOdcDKPo4/q5e/0:Y79vhAL8HLBaGAK8

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2380	BSSAClientSetup7.tmp

Loads dropped DLL 3 IoCs

pid	Process
1988	BSSAClientSetup7.exe
2380	BSSAClientSetup7.tmp
2380	BSSAClientSetup7.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2956	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2924	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	BSSAClientSetup7.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2380	1988	BSSAClientSetup7.exe	28
PID 1988 wrote to memory of 2380	1988	BSSAClientSetup7.exe	28
PID 1988 wrote to memory of 2380	1988	BSSAClientSetup7.exe	28
PID 1988 wrote to memory of 2380	1988	BSSAClientSetup7.exe	28
PID 1988 wrote to memory of 2380	1988	BSSAClientSetup7.exe	28
PID 1988 wrote to memory of 2380	1988	BSSAClientSetup7.exe	28
PID 1988 wrote to memory of 2380	1988	BSSAClientSetup7.exe	28
PID 2380 wrote to memory of 2956	2380	BSSAClientSetup7.tmp	29
PID 2380 wrote to memory of 2956	2380	BSSAClientSetup7.tmp	29
PID 2380 wrote to memory of 2956	2380	BSSAClientSetup7.tmp	29
PID 2380 wrote to memory of 2956	2380	BSSAClientSetup7.tmp	29
PID 2380 wrote to memory of 2924	2380	BSSAClientSetup7.tmp	31
PID 2380 wrote to memory of 2924	2380	BSSAClientSetup7.tmp	31
PID 2380 wrote to memory of 2924	2380	BSSAClientSetup7.tmp	31
PID 2380 wrote to memory of 2924	2380	BSSAClientSetup7.tmp	31

C:\Users\Admin\AppData\Local\Temp\BSSAClientSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\BSSAClientSetup7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\is-9I375.tmp\BSSAClientSetup7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9I375.tmp\BSSAClientSetup7.tmp" /SL5="$80120,14868872,52736,C:\Users\Admin\AppData\Local\Temp\BSSAClientSetup7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" stop NetSpeedGuard
    3⤵
    - Launches sc.exe
    PID:2956
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\system32\taskkill.exe" /F /IM NetSpeedGuardTip.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9I375.tmp\BSSAClientSetup7.tmp

Filesize
700KB

MD5
88a0387e20eaac468789990b0e0bb19f

SHA1
aa0caaa9c0f7bebad4b5935813bd56a7c0700c85

SHA256
14e711509c689cf9bf3de95cfa102fb70e994a45d33fa471e077e5d184be292f

SHA512
72689c6e8cff01d85a840c824700776ce2182ca10e53af2c5126de069308572cafe92e47eba324c2fd5642129bfe743ea8dc48f3d61f91aef7824bca8ec9b640

Download Submit
\Users\Admin\AppData\Local\Temp\is-3NFLO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3NFLO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-9I375.tmp\BSSAClientSetup7.tmp

Filesize
700KB

MD5
88a0387e20eaac468789990b0e0bb19f

SHA1
aa0caaa9c0f7bebad4b5935813bd56a7c0700c85

SHA256
14e711509c689cf9bf3de95cfa102fb70e994a45d33fa471e077e5d184be292f

SHA512
72689c6e8cff01d85a840c824700776ce2182ca10e53af2c5126de069308572cafe92e47eba324c2fd5642129bfe743ea8dc48f3d61f91aef7824bca8ec9b640

Download Submit
memory/1988-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1988-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2380-61-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2380-70-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2380-71-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing