0a94a43af2db7bdbada87b34bf03d3b221110d1ca21bbebec55b08767c1281cc

Analysis

max time kernel
120s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easybcd-2-4.exe
Size

2.2MB
MD5

2e06476ebe1137f543ee7176d34716e7
SHA1

6eaa6aa0e829ce8af54213f6de77e748c4388e23
SHA256

0a94a43af2db7bdbada87b34bf03d3b221110d1ca21bbebec55b08767c1281cc
SHA512

4f038b1bab87a9c552672a69d2122800e5f6809c6230c2cea4f14000d0c8555393621af0e4e85ef9471a6527d9458a6315576aab9de10058b3c320549f9d0c1e
SSDEEP

49152:vHQLkhcj2sy/yOnZMS3NTQDxX7Cc8kRD7zei:vwLKcjW/yGMoN+Obk1zD

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2868	easybcd-2-4.exe
2868	easybcd-2-4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2280	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	easybcd-2-4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2280	2868	easybcd-2-4.exe	27
PID 2868 wrote to memory of 2280	2868	easybcd-2-4.exe	27
PID 2868 wrote to memory of 2280	2868	easybcd-2-4.exe	27
PID 2868 wrote to memory of 2280	2868	easybcd-2-4.exe	27

C:\Users\Admin\AppData\Local\Temp\easybcd-2-4.exe
"C:\Users\Admin\AppData\Local\Temp\easybcd-2-4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im easybcd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd6C6B.tmp\ioSpecial.ini

Filesize
673B

MD5
1d3b9ae7b898640dcc2bea3c4805f9c1

SHA1
41e1c280e9f5e0dc0144f7babf36fc8c14fb713b

SHA256
80d973efa627e786aaa2a42391038fceb26552de46c8349af561738f07ec4c57

SHA512
fa65163d667d3cee3ea66d1b008d3a2262b694cc37082e81a40183274c421b351499b1b25854f53d89e0cd554bbf401880780a812cbe7b294d75ee903540db1a

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6C6B.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6C6B.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit