27e94d4a8932c0d19a84970078f2d11824d2e9edafc5cf221d41ff1c63e47dec

General

Target

63bd9e5523c85c4da4cac440a777f1c2.exe
Size

1.4MB
MD5

63bd9e5523c85c4da4cac440a777f1c2
SHA1

88d9f376ecbf824ad5c9b9dc47a76fafda45a499
SHA256

27e94d4a8932c0d19a84970078f2d11824d2e9edafc5cf221d41ff1c63e47dec
SHA512

eacdd1ca9cf49da0212a29b9428c879236bfc7ea9d497b05327bc321b9b2fe5c6dd7bcf6500f5c6b49ac6be4541c02c65556e5f3716d93decab7fce18f711ebb
SSDEEP

24576:pKGeJlka1TqUcEAKrfWmQfBZrZFfYDNoF+GoDWU98VRck3CJIdF9Am69Qaro65ya:GkN48BnFAawDWn7b3MIdF3aMEya

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2500	usnscv.exe
2920	usnscv.exe
2732	BES.exe

Loads dropped DLL 5 IoCs

pid	Process
808	63bd9e5523c85c4da4cac440a777f1c2.exe
808	63bd9e5523c85c4da4cac440a777f1c2.exe
2500	usnscv.exe
808	63bd9e5523c85c4da4cac440a777f1c2.exe
808	63bd9e5523c85c4da4cac440a777f1c2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\usnscv.exe = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\" /background"	usnscv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 808 set thread context of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 2500 set thread context of 2920	2500	usnscv.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	BES.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2732	BES.exe
2732	BES.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2732	BES.exe
2732	BES.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	BES.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 808 wrote to memory of 2500	808	63bd9e5523c85c4da4cac440a777f1c2.exe	28
PID 2500 wrote to memory of 2920	2500	usnscv.exe	29
PID 2500 wrote to memory of 2920	2500	usnscv.exe	29
PID 2500 wrote to memory of 2920	2500	usnscv.exe	29
PID 2500 wrote to memory of 2920	2500	usnscv.exe	29
PID 2500 wrote to memory of 2920	2500	usnscv.exe	29
PID 2500 wrote to memory of 2920	2500	usnscv.exe	29
PID 808 wrote to memory of 2732	808	63bd9e5523c85c4da4cac440a777f1c2.exe	30
PID 808 wrote to memory of 2732	808	63bd9e5523c85c4da4cac440a777f1c2.exe	30
PID 808 wrote to memory of 2732	808	63bd9e5523c85c4da4cac440a777f1c2.exe	30
PID 808 wrote to memory of 2732	808	63bd9e5523c85c4da4cac440a777f1c2.exe	30

C:\Users\Admin\AppData\Local\Temp\63bd9e5523c85c4da4cac440a777f1c2.exe
"C:\Users\Admin\AppData\Local\Temp\63bd9e5523c85c4da4cac440a777f1c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\usnscv.exe
  "C:\Users\Admin\AppData\Local\usnscv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\usnscv.exe
    "C:\Users\Admin\AppData\Local\usnscv.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2920
- C:\Users\Admin\AppData\Local\BES.exe
  "C:\Users\Admin\AppData\Local\BES.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BES.exe

Filesize
188KB

MD5
1df0316c621326fe3b73d3ea3ae9bce4

SHA1
69ce2ffd76823cf1cca19b3004d93436f3ab10ff

SHA256
cdd0b5fcc9c56ae1cc81a84aca6ec9dced7383a1687cffab6aedeee290382bf5

SHA512
e7353286508e6da3c66f6cc4d93eb9570a87e7fb0a7afe99bad47b7918f5c4ed0fa34c2521f0bb4d2e22bf4453dc49048bc91c3aa0b733b1fb1323ee2e18011c

Download Submit
C:\Users\Admin\AppData\Local\bes.ini

Filesize
22B

MD5
ad620f3a660910ea8ae5814944a79957

SHA1
63f2408e5b6502e9c37cc19b8e0f0184e96e5a98

SHA256
fd8b23de1d8a48cd9367756c3e437fe1eaf4e46c763af06e7b7d3d1f792570ba

SHA512
0f34487b3eb2debe31bd9bb5df227530ec73233876ebcfdd627c5177ed901ddf0186ba1b2a8a3d16df62dac28cb0acd5216fda0121328870350cac49a4ed542f

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
30KB

MD5
8889bd1d195453e042195b492103a1ef

SHA1
d5dd7a1a28fc3d66bcb0070266020bc38bbc6499

SHA256
0bb7ac8b8f722ac34a056fa63c56b49ba2e6ecda2b1ac66239f89ec77aff82c5

SHA512
a166dbb6bb2eb6f6a1cef8e134a84bfafb8c37c9c0f29fac8ca90dcd6a87ee0aa37c4443a838697b921f611c593b30c4d2af1cb0b4ab82fa584127fa9b1911ad

Download Submit
\Users\Admin\AppData\Local\usnscv.exe

Filesize
1.4MB

MD5
63bd9e5523c85c4da4cac440a777f1c2

SHA1
88d9f376ecbf824ad5c9b9dc47a76fafda45a499

SHA256
27e94d4a8932c0d19a84970078f2d11824d2e9edafc5cf221d41ff1c63e47dec

SHA512
eacdd1ca9cf49da0212a29b9428c879236bfc7ea9d497b05327bc321b9b2fe5c6dd7bcf6500f5c6b49ac6be4541c02c65556e5f3716d93decab7fce18f711ebb

Download Submit
memory/808-60-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/808-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2500-10-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-18-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-8-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-15-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-35-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-45-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-21-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-12-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-24-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-36-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-27-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2500-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-30-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2920-48-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2920-49-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2920-50-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2920-46-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2920-43-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2920-39-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2920-75-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2920-78-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2920-79-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads