Analysis
-
max time kernel
122s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
21/11/2023, 03:45
Static task
static1
Behavioral task
behavioral1
Sample
c256204deb01c77e21ba17b5e2411245.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
c256204deb01c77e21ba17b5e2411245.exe
Resource
win10v2004-20231023-en
General
-
Target
c256204deb01c77e21ba17b5e2411245.exe
-
Size
1.5MB
-
MD5
c256204deb01c77e21ba17b5e2411245
-
SHA1
95ae7fb9f6710368e44a3c4e839d3d7bebbd4d5e
-
SHA256
f594822a45b8561a9b7a2e2ecf17558a692b1a193cf231617ba1b222723ca3ab
-
SHA512
f3e1f38c059ce56801382c6de631d7b90077fa77a2eb997906d2f6eef8dafe38ab041f023a11b27da41b87edb16484fb095e1053e4b01204412f3a586cd34c52
-
SSDEEP
24576:2TbBv5rUyXVZJQCx441vcF3iE0npCoc1cQhWdB7in6D+6:IBJLQCvvcF3KpSu
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2788 BlockrefBrokerperf.exe 3028 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2040 cmd.exe 2040 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows Photo Viewer\fr-FR\lsass.exe BlockrefBrokerperf.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\6203df4a6bafc7 BlockrefBrokerperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 832 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe 2788 BlockrefBrokerperf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2788 BlockrefBrokerperf.exe Token: SeDebugPrivilege 3028 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2568 2080 c256204deb01c77e21ba17b5e2411245.exe 28 PID 2080 wrote to memory of 2568 2080 c256204deb01c77e21ba17b5e2411245.exe 28 PID 2080 wrote to memory of 2568 2080 c256204deb01c77e21ba17b5e2411245.exe 28 PID 2080 wrote to memory of 2568 2080 c256204deb01c77e21ba17b5e2411245.exe 28 PID 2568 wrote to memory of 2040 2568 WScript.exe 29 PID 2568 wrote to memory of 2040 2568 WScript.exe 29 PID 2568 wrote to memory of 2040 2568 WScript.exe 29 PID 2568 wrote to memory of 2040 2568 WScript.exe 29 PID 2040 wrote to memory of 2788 2040 cmd.exe 31 PID 2040 wrote to memory of 2788 2040 cmd.exe 31 PID 2040 wrote to memory of 2788 2040 cmd.exe 31 PID 2040 wrote to memory of 2788 2040 cmd.exe 31 PID 2788 wrote to memory of 1896 2788 BlockrefBrokerperf.exe 32 PID 2788 wrote to memory of 1896 2788 BlockrefBrokerperf.exe 32 PID 2788 wrote to memory of 1896 2788 BlockrefBrokerperf.exe 32 PID 1896 wrote to memory of 768 1896 cmd.exe 34 PID 1896 wrote to memory of 768 1896 cmd.exe 34 PID 1896 wrote to memory of 768 1896 cmd.exe 34 PID 1896 wrote to memory of 832 1896 cmd.exe 35 PID 1896 wrote to memory of 832 1896 cmd.exe 35 PID 1896 wrote to memory of 832 1896 cmd.exe 35 PID 1896 wrote to memory of 3028 1896 cmd.exe 36 PID 1896 wrote to memory of 3028 1896 cmd.exe 36 PID 1896 wrote to memory of 3028 1896 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\c256204deb01c77e21ba17b5e2411245.exe"C:\Users\Admin\AppData\Local\Temp\c256204deb01c77e21ba17b5e2411245.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\reviewruntimeMonitor\oYwPDBVe3AuHG3t6JLon5FNZVJrzPzwK1qz3t5qd93gftXcSil5zO.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\reviewruntimeMonitor\XfrEwTdqjpljDpai91jT4EKzapK.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\reviewruntimeMonitor\BlockrefBrokerperf.exe"C:\reviewruntimeMonitor/BlockrefBrokerperf.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SucyYlPBTO.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:768
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:832
-
-
C:\reviewruntimeMonitor\explorer.exe"C:\reviewruntimeMonitor\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164B
MD5e30fdd238420fd5103e428661fd526f8
SHA1920a7a636fcc67f01cbe404df839505f8bd83c31
SHA256aba005f3a4e80938c813e9bb3956f5f54d826f12921c2bb3ef8b55ddbccf093a
SHA51241d1a94e118d015487c7348543332752b96e8a155c30bfeffd8eeabe600cc13139e9647507d551938c65954a5565ad46115a1a01dbb50b12cc00757384c751a0
-
Filesize
1.2MB
MD5295bf8d9b734730efa567c8da9918fe1
SHA109aabc018da124bd0ebe8e1043860015ac71aa34
SHA2567b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc
SHA512c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c
-
Filesize
1.2MB
MD5295bf8d9b734730efa567c8da9918fe1
SHA109aabc018da124bd0ebe8e1043860015ac71aa34
SHA2567b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc
SHA512c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c
-
Filesize
90B
MD5027418c1f52c54c2519a267460bf1214
SHA1f8e2f6af10f7e8bf8a94daf8ea953e18637c52d6
SHA2569b0becac125e51675754b4363a01cf1619854897aa2b72fce6ecd4bae074b286
SHA51293baf1b964bf3219b45a08ff52eed669389e634b67e39fe8ac3eb913d86824074192794790802e2acba2b1e9119da4520a123584d43b9bea780bb5060711bf49
-
Filesize
1.2MB
MD5295bf8d9b734730efa567c8da9918fe1
SHA109aabc018da124bd0ebe8e1043860015ac71aa34
SHA2567b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc
SHA512c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c
-
Filesize
1.2MB
MD5295bf8d9b734730efa567c8da9918fe1
SHA109aabc018da124bd0ebe8e1043860015ac71aa34
SHA2567b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc
SHA512c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c
-
Filesize
1.2MB
MD5295bf8d9b734730efa567c8da9918fe1
SHA109aabc018da124bd0ebe8e1043860015ac71aa34
SHA2567b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc
SHA512c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c
-
Filesize
226B
MD57d4bd2b9160e289aa7b92b5f13e5000f
SHA1ff50208f3523239764f6397b1d19909f4e0c45a8
SHA256ba473c76f44d3537addd866eb8b5e59cf3bac1776fba6e0131b69e914eb706c4
SHA512a5cc9e9c40208e2243bbf35990fa143f02ee62b6ae7eb65d5a89d8994e60378acd497e71e76ae18709214871b91cefde18b38e7377be2aa750e053b8b69ec1c5
-
Filesize
1.2MB
MD5295bf8d9b734730efa567c8da9918fe1
SHA109aabc018da124bd0ebe8e1043860015ac71aa34
SHA2567b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc
SHA512c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c
-
Filesize
1.2MB
MD5295bf8d9b734730efa567c8da9918fe1
SHA109aabc018da124bd0ebe8e1043860015ac71aa34
SHA2567b17102103af932a56eac5ea51f07a7926be23585d19b1cfe42215ce1a4fa3cc
SHA512c816f7f53f5fb24eb7dcf31b8138e6717c881245d7cc2fbd53f5dc99977f8d1cef4d1afe8235b5ef0ee4397ce32a1a74720349b21d805a7f6ceac8bbc802a59c