Analysis
-
max time kernel
125s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2023, 19:00
Static task
static1
Behavioral task
behavioral1
Sample
BCBP-FT-TRANSFER-287287912.scr.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
BCBP-FT-TRANSFER-287287912.scr.exe
Resource
win10v2004-20231130-en
General
-
Target
BCBP-FT-TRANSFER-287287912.scr.exe
-
Size
476KB
-
MD5
2afed36792d08f83bca5877f808612f2
-
SHA1
fdc5f037f4d5b27c476f3ecb987810d90c40ff95
-
SHA256
bbcd72e82d0511c6fda963e60a70d942e39e36e37ac225f75f3f5b9aa96b3e17
-
SHA512
7a0de4f310101b73ad6736e01661244394aa0495e297f57bdee852d4005e9961554120ea2efa111090bba6b1545a48acd5ff2a96dedec92ac0735fc76f805b42
-
SSDEEP
6144:b8LxBnaL3xX0XBxA4a76P34sAkTJDk/+rNx0kFGE/LK3auc17tTcGrAwDVaAX:aaLWXpa7u343IJ4+Zx0Qci1rU8o6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2116 gpaxjkfx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pluuqyyiee = "C:\\Users\\Admin\\AppData\\Roaming\\ueeajjsoxxhdd\\miirbwwgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\gpaxjkfx.exe\" " gpaxjkfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4708 2116 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 916 wrote to memory of 2116 916 BCBP-FT-TRANSFER-287287912.scr.exe 87 PID 916 wrote to memory of 2116 916 BCBP-FT-TRANSFER-287287912.scr.exe 87 PID 916 wrote to memory of 2116 916 BCBP-FT-TRANSFER-287287912.scr.exe 87 PID 2116 wrote to memory of 3668 2116 gpaxjkfx.exe 90 PID 2116 wrote to memory of 3668 2116 gpaxjkfx.exe 90 PID 2116 wrote to memory of 3668 2116 gpaxjkfx.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\BCBP-FT-TRANSFER-287287912.scr.exe"C:\Users\Admin\AppData\Local\Temp\BCBP-FT-TRANSFER-287287912.scr.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Local\Temp\gpaxjkfx.exe"C:\Users\Admin\AppData\Local\Temp\gpaxjkfx.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\gpaxjkfx.exe"C:\Users\Admin\AppData\Local\Temp\gpaxjkfx.exe"3⤵PID:3668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 6643⤵
- Program crash
PID:4708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2116 -ip 21161⤵PID:5064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5dcb26c9bfc1b5d7ce5d51c3b87c37daa
SHA1824e47ae0d2ef729977f162c019aba515575eabf
SHA256cb9f656521d692c898a9a5439682241d82087d40f3a949639b595f3fe2da106d
SHA512de22705d5410b7d4c24fdcfc32a87280f16ced3aa7eee860cdc8855d763916e3dab4ac01190444f51f3f67a7bde4451be0b9d9dd23922fcd983c0cde8515ac35
-
Filesize
176KB
MD5dcb26c9bfc1b5d7ce5d51c3b87c37daa
SHA1824e47ae0d2ef729977f162c019aba515575eabf
SHA256cb9f656521d692c898a9a5439682241d82087d40f3a949639b595f3fe2da106d
SHA512de22705d5410b7d4c24fdcfc32a87280f16ced3aa7eee860cdc8855d763916e3dab4ac01190444f51f3f67a7bde4451be0b9d9dd23922fcd983c0cde8515ac35
-
Filesize
300KB
MD5f4aa88a2bdd058cf0f9263c8d9207102
SHA1399a192bbac02ec52cfee904aa1ee2fad0369aad
SHA2562bcb37bd3f65d6135c329e502c2ef0909572c3fa480947cc6fe23252d41cdf33
SHA5129e3428b01280b92af142db29b9c9ca6ede2a210a8617190bbecaf7504c661f6cab66d10926dac49b9864417f9667a867109fd312f012f9a487388a622bde80de