cfee81e42662dc29b224739d6bc20cc6fd317ef901c300a848a417bc243d818e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 06:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1147590f4c29356e6d88f056a09c8243.exe
Size

228KB
MD5

1147590f4c29356e6d88f056a09c8243
SHA1

a4ab19212050038fbc896f81bb87470b93cb5d82
SHA256

cfee81e42662dc29b224739d6bc20cc6fd317ef901c300a848a417bc243d818e
SHA512

43cfd0e7896bd9a7bc76c5b0ee0467293591a6273ca10953e06f31503a693adbaeac1b730a3e80a1ccb1c0cde5000674d23cbaf3492dbaa37dab5803c1ac60ac
SSDEEP

1536:882E8ZFue9KNdaabUeUhaDLsMs1fS8o0lVkiW9OU559DdhyQ4I5toIv:88X8ZMaKnzUeUhksMa7E9Ow5N9GIv

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	1147590f4c29356e6d88f056a09c8243.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaskSysStartBB = "C:\\Windows\\TASKMOAN.EXE"	1147590f4c29356e6d88f056a09c8243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\SysTrayStartLW = "C:\\Windows\\system32\\BBbLWDB.Scr"	1147590f4c29356e6d88f056a09c8243.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\BBbLWDB.Scr	1147590f4c29356e6d88f056a09c8243.exe
File opened for modification	C:\Windows\SysWOW64\BBbLWDB.Scr	1147590f4c29356e6d88f056a09c8243.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\AIM95\Buddies4Eva.Scr	1147590f4c29356e6d88f056a09c8243.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\TASKMOAN.EXE	1147590f4c29356e6d88f056a09c8243.exe
File opened for modification	C:\Windows\TASKMOAN.EXE	1147590f4c29356e6d88f056a09c8243.exe
File created	C:\Windows\BBbLWDB.Bat	1147590f4c29356e6d88f056a09c8243.exe
File opened for modification	C:\Windows\BBbLWDB.Bat	1147590f4c29356e6d88f056a09c8243.exe
File created	C:\Windows\.EXE	1147590f4c29356e6d88f056a09c8243.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 1724	5040	1147590f4c29356e6d88f056a09c8243.exe	95
PID 5040 wrote to memory of 1724	5040	1147590f4c29356e6d88f056a09c8243.exe	95
PID 5040 wrote to memory of 1724	5040	1147590f4c29356e6d88f056a09c8243.exe	95
PID 5040 wrote to memory of 1072	5040	1147590f4c29356e6d88f056a09c8243.exe	97
PID 5040 wrote to memory of 1072	5040	1147590f4c29356e6d88f056a09c8243.exe	97
PID 5040 wrote to memory of 1072	5040	1147590f4c29356e6d88f056a09c8243.exe	97
PID 1072 wrote to memory of 4256	1072	cmd.exe	100
PID 1072 wrote to memory of 4256	1072	cmd.exe	100
PID 1072 wrote to memory of 4256	1072	cmd.exe	100
PID 1072 wrote to memory of 2472	1072	cmd.exe	101
PID 1072 wrote to memory of 2472	1072	cmd.exe	101
PID 1072 wrote to memory of 2472	1072	cmd.exe	101
PID 1072 wrote to memory of 2252	1072	cmd.exe	102
PID 1072 wrote to memory of 2252	1072	cmd.exe	102
PID 1072 wrote to memory of 2252	1072	cmd.exe	102
PID 1072 wrote to memory of 5084	1072	cmd.exe	103
PID 1072 wrote to memory of 5084	1072	cmd.exe	103
PID 1072 wrote to memory of 5084	1072	cmd.exe	103
PID 1072 wrote to memory of 2092	1072	cmd.exe	104
PID 1072 wrote to memory of 2092	1072	cmd.exe	104
PID 1072 wrote to memory of 2092	1072	cmd.exe	104
PID 1072 wrote to memory of 1708	1072	cmd.exe	105
PID 1072 wrote to memory of 1708	1072	cmd.exe	105
PID 1072 wrote to memory of 1708	1072	cmd.exe	105
PID 1072 wrote to memory of 5064	1072	cmd.exe	106
PID 1072 wrote to memory of 5064	1072	cmd.exe	106
PID 1072 wrote to memory of 5064	1072	cmd.exe	106
PID 1072 wrote to memory of 4720	1072	cmd.exe	107
PID 1072 wrote to memory of 4720	1072	cmd.exe	107
PID 1072 wrote to memory of 4720	1072	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\1147590f4c29356e6d88f056a09c8243.exe
"C:\Users\Admin\AppData\Local\Temp\1147590f4c29356e6d88f056a09c8243.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ShareFile.exe \Progra~1\AIM95\Buddies4Eva.Scr
  2⤵
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\BBbLWDB.Bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" Ver "
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\find.exe
    Find "XP"
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" Ver "
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\find.exe
    Find "NT"
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" Ver "
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\find.exe
    Find "2000"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" Echo Y "
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" Copy C:\Windows\TASMOAN.EXE \_RESTORE"
    3⤵
    PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\BBbLWDB.Bat

Filesize
5KB

MD5
52052154dd975e70496fd59756f75b2a

SHA1
1ae2533825a8f8bdb89eb33c0527825261a1eab7

SHA256
e1723bef2453571f2b0fbab49722a5d3e13d6187db3939fb6c13f5e46d4df407

SHA512
c2277f095d8379fe08ca1f3221826471a1b29919af4bbbf60be23e0866c654ffd1c096e874f9f8241aa17692ff9f8ede39e574ac4a66577ef36c55bbd8bdd53a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads