96f35b8f39ac3630a9c58f2621bb0cfce873b69c5a1c2a40612130076e07a533

Analysis

max time kernel
350s
max time network
363s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 17:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

levelcomputer/levelcomputer.exe
Size

192.4MB
MD5

760e4dfcad56f67f80ec4b2def63de69
SHA1

0af7b525ac681f37e6e2d80864a5884d1ff76711
SHA256

86a046300c03712f3d07e9c0e50369937b77a7e8183f3e40574da5de7fc5ce6e
SHA512

bdfeb7e1ce7dc861c853708675024f16ef301081f1cb1e8dc31d7f772d8950984b13e973fbbf1d5ca9b10a28b3e8d6de4da5ef33a6f729be462d2d7119acc705
SSDEEP

6291456:RwNK18un4nZCbavGsedutVPsHdPa1UlcF:6NK6tZ6avyutVmd0U

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2604	BCUninstaller_5_6_setup_1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	levelcomputer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	BCUninstaller_5_6_setup_1.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2604	2112	levelcomputer.exe	28
PID 2112 wrote to memory of 2604	2112	levelcomputer.exe	28
PID 2112 wrote to memory of 2604	2112	levelcomputer.exe	28
PID 2112 wrote to memory of 2604	2112	levelcomputer.exe	28
PID 2112 wrote to memory of 2604	2112	levelcomputer.exe	28
PID 2112 wrote to memory of 2604	2112	levelcomputer.exe	28
PID 2112 wrote to memory of 2604	2112	levelcomputer.exe	28

C:\Users\Admin\AppData\Local\Temp\levelcomputer\levelcomputer.exe
"C:\Users\Admin\AppData\Local\Temp\levelcomputer\levelcomputer.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe

Filesize
95.2MB

MD5
1edc7e9e4c0c5663920395836d17ec82

SHA1
f68a7c5495ca3561c22a75cc998e3854608f6f38

SHA256
3c92c0a47becd2efa579fb3eaa06dd711a55f4a2cdb9a0311492da2205b1e446

SHA512
d595dfdfac98a135c27bb8acea7b8e67d40cec785a51d1b1256d7bdfaff7940372918faa55b93280aca96c45cc7c05264b135acc51ebade24d3523e92469f2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe

Filesize
95.2MB

MD5
1edc7e9e4c0c5663920395836d17ec82

SHA1
f68a7c5495ca3561c22a75cc998e3854608f6f38

SHA256
3c92c0a47becd2efa579fb3eaa06dd711a55f4a2cdb9a0311492da2205b1e446

SHA512
d595dfdfac98a135c27bb8acea7b8e67d40cec785a51d1b1256d7bdfaff7940372918faa55b93280aca96c45cc7c05264b135acc51ebade24d3523e92469f2a3

Download Submit
memory/2604-8-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-9-0x0000000000B50000-0x0000000006A94000-memory.dmp

Filesize
95.3MB

Download
memory/2604-10-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-11-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/2604-12-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads