Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
04/12/2023, 19:01
Static task
static1
Behavioral task
behavioral1
Sample
BCBP-FT-TRANSFER-287287912.scr.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
BCBP-FT-TRANSFER-287287912.scr.exe
Resource
win10v2004-20231130-en
General
-
Target
BCBP-FT-TRANSFER-287287912.scr.exe
-
Size
476KB
-
MD5
2afed36792d08f83bca5877f808612f2
-
SHA1
fdc5f037f4d5b27c476f3ecb987810d90c40ff95
-
SHA256
bbcd72e82d0511c6fda963e60a70d942e39e36e37ac225f75f3f5b9aa96b3e17
-
SHA512
7a0de4f310101b73ad6736e01661244394aa0495e297f57bdee852d4005e9961554120ea2efa111090bba6b1545a48acd5ff2a96dedec92ac0735fc76f805b42
-
SSDEEP
6144:b8LxBnaL3xX0XBxA4a76P34sAkTJDk/+rNx0kFGE/LK3auc17tTcGrAwDVaAX:aaLWXpa7u343IJ4+Zx0Qci1rU8o6
Malware Config
Extracted
nanocore
1.2.2.0
multipleentry90dayscontroller.homingbeacon.net:54980
6df769ca-fa90-4d27-be6c-663c699e6628
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-07-28T11:56:28.201018636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
54980
-
default_group
K59
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6df769ca-fa90-4d27-be6c-663c699e6628
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
multipleentry90dayscontroller.homingbeacon.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2232 gpaxjkfx.exe 2216 gpaxjkfx.exe -
Loads dropped DLL 2 IoCs
pid Process 1584 BCBP-FT-TRANSFER-287287912.scr.exe 2232 gpaxjkfx.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\pluuqyyiee = "C:\\Users\\Admin\\AppData\\Roaming\\ueeajjsoxxhdd\\miirbwwgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\gpaxjkfx.exe\" " gpaxjkfx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Subsystem = "C:\\Program Files (x86)\\IMAP Subsystem\\imapss.exe" gpaxjkfx.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gpaxjkfx.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2232 set thread context of 2216 2232 gpaxjkfx.exe 29 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\IMAP Subsystem\imapss.exe gpaxjkfx.exe File opened for modification C:\Program Files (x86)\IMAP Subsystem\imapss.exe gpaxjkfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2216 gpaxjkfx.exe 2216 gpaxjkfx.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2216 gpaxjkfx.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2232 gpaxjkfx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2216 gpaxjkfx.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1584 wrote to memory of 2232 1584 BCBP-FT-TRANSFER-287287912.scr.exe 28 PID 1584 wrote to memory of 2232 1584 BCBP-FT-TRANSFER-287287912.scr.exe 28 PID 1584 wrote to memory of 2232 1584 BCBP-FT-TRANSFER-287287912.scr.exe 28 PID 1584 wrote to memory of 2232 1584 BCBP-FT-TRANSFER-287287912.scr.exe 28 PID 2232 wrote to memory of 2216 2232 gpaxjkfx.exe 29 PID 2232 wrote to memory of 2216 2232 gpaxjkfx.exe 29 PID 2232 wrote to memory of 2216 2232 gpaxjkfx.exe 29 PID 2232 wrote to memory of 2216 2232 gpaxjkfx.exe 29 PID 2232 wrote to memory of 2216 2232 gpaxjkfx.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\BCBP-FT-TRANSFER-287287912.scr.exe"C:\Users\Admin\AppData\Local\Temp\BCBP-FT-TRANSFER-287287912.scr.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\gpaxjkfx.exe"C:\Users\Admin\AppData\Local\Temp\gpaxjkfx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\gpaxjkfx.exe"C:\Users\Admin\AppData\Local\Temp\gpaxjkfx.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5dcb26c9bfc1b5d7ce5d51c3b87c37daa
SHA1824e47ae0d2ef729977f162c019aba515575eabf
SHA256cb9f656521d692c898a9a5439682241d82087d40f3a949639b595f3fe2da106d
SHA512de22705d5410b7d4c24fdcfc32a87280f16ced3aa7eee860cdc8855d763916e3dab4ac01190444f51f3f67a7bde4451be0b9d9dd23922fcd983c0cde8515ac35
-
Filesize
176KB
MD5dcb26c9bfc1b5d7ce5d51c3b87c37daa
SHA1824e47ae0d2ef729977f162c019aba515575eabf
SHA256cb9f656521d692c898a9a5439682241d82087d40f3a949639b595f3fe2da106d
SHA512de22705d5410b7d4c24fdcfc32a87280f16ced3aa7eee860cdc8855d763916e3dab4ac01190444f51f3f67a7bde4451be0b9d9dd23922fcd983c0cde8515ac35
-
Filesize
176KB
MD5dcb26c9bfc1b5d7ce5d51c3b87c37daa
SHA1824e47ae0d2ef729977f162c019aba515575eabf
SHA256cb9f656521d692c898a9a5439682241d82087d40f3a949639b595f3fe2da106d
SHA512de22705d5410b7d4c24fdcfc32a87280f16ced3aa7eee860cdc8855d763916e3dab4ac01190444f51f3f67a7bde4451be0b9d9dd23922fcd983c0cde8515ac35
-
Filesize
176KB
MD5dcb26c9bfc1b5d7ce5d51c3b87c37daa
SHA1824e47ae0d2ef729977f162c019aba515575eabf
SHA256cb9f656521d692c898a9a5439682241d82087d40f3a949639b595f3fe2da106d
SHA512de22705d5410b7d4c24fdcfc32a87280f16ced3aa7eee860cdc8855d763916e3dab4ac01190444f51f3f67a7bde4451be0b9d9dd23922fcd983c0cde8515ac35
-
Filesize
300KB
MD5f4aa88a2bdd058cf0f9263c8d9207102
SHA1399a192bbac02ec52cfee904aa1ee2fad0369aad
SHA2562bcb37bd3f65d6135c329e502c2ef0909572c3fa480947cc6fe23252d41cdf33
SHA5129e3428b01280b92af142db29b9c9ca6ede2a210a8617190bbecaf7504c661f6cab66d10926dac49b9864417f9667a867109fd312f012f9a487388a622bde80de
-
Filesize
176KB
MD5dcb26c9bfc1b5d7ce5d51c3b87c37daa
SHA1824e47ae0d2ef729977f162c019aba515575eabf
SHA256cb9f656521d692c898a9a5439682241d82087d40f3a949639b595f3fe2da106d
SHA512de22705d5410b7d4c24fdcfc32a87280f16ced3aa7eee860cdc8855d763916e3dab4ac01190444f51f3f67a7bde4451be0b9d9dd23922fcd983c0cde8515ac35
-
Filesize
176KB
MD5dcb26c9bfc1b5d7ce5d51c3b87c37daa
SHA1824e47ae0d2ef729977f162c019aba515575eabf
SHA256cb9f656521d692c898a9a5439682241d82087d40f3a949639b595f3fe2da106d
SHA512de22705d5410b7d4c24fdcfc32a87280f16ced3aa7eee860cdc8855d763916e3dab4ac01190444f51f3f67a7bde4451be0b9d9dd23922fcd983c0cde8515ac35