Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 17:01

General

  • Target

    7eaf913bed26f384d6ce46b787fdb57e.exe

  • Size

    21KB

  • MD5

    7eaf913bed26f384d6ce46b787fdb57e

  • SHA1

    4c02e3cca813e3d49de26da4ff25f5d64aece2ff

  • SHA256

    e732f04156824837dd34109312fa53860b2500b5200b28b4078f07f5e0dedf6d

  • SHA512

    5632d679108700c710c994b69fa1a0fb155d3ab11be6281282129b06919f6c25f510c4d68fe5a8458adf07549834dee738dd010bc5e38ad69c9b69fe57d50dbf

  • SSDEEP

    384:DIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZmXdaNJawcudy:DRGuY2P0Vo6r7SiAwyrMRjbkwnbcuyDY

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eaf913bed26f384d6ce46b787fdb57e.exe
    "C:\Users\Admin\AppData\Local\Temp\7eaf913bed26f384d6ce46b787fdb57e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\756E.tmp\BitDefender.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM About.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM bdagent.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4864
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM bdfvcl.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5076
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM bdfvwiz.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM BDInProcPatch.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3444
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM BDMsnScan.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:800
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM bdreinit.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1096
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM bdsubwiz.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3732
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM BDSurvey.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:852
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM bdtkexec.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2944
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM bdwizreg.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2712
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM cleanIELow.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1616
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM History.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3412
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM IEShow.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4936
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM JsRcGen.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4020
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM ODSW.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM seccenter.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3372
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM signcheck.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4536
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM uiscan.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5080
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM vsserv.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5108
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM wscfxas.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3212
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM wscfxav.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1932
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM wscfxfw.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM backup.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4772
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM burnermgm.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2400
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM burniso.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4856
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM cdburner.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\756E.tmp\BitDefender.bat

    Filesize

    915B

    MD5

    ecf69f7a7fb8730a61073a412bb24eef

    SHA1

    4ad92db033d0600800fdc2aec2c5416adde68202

    SHA256

    64fbf208d185770aadbd39458260d764ff149686d35df6d85354246ebdc8aeb4

    SHA512

    37890b7f3217f4f0611645252f67a63c6d9c9f112770f0c7b4266397ba4a7d2bdc497e7881a8dddff6c881a0b710c3ff4f9a1d97c03d653cab30de2a986cf563

  • memory/3396-0-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/3396-5-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB