Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 00:09
Static task
static1
Behavioral task
behavioral1
Sample
2125bf2b30050fb981357d998968ed50.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2125bf2b30050fb981357d998968ed50.exe
Resource
win10v2004-20231215-en
General
-
Target
2125bf2b30050fb981357d998968ed50.exe
-
Size
10KB
-
MD5
2125bf2b30050fb981357d998968ed50
-
SHA1
7152359f75b98e9eb96ef35ea720eeaf4c028b8a
-
SHA256
34ac353f82317c69f040b864de17c8c7b23f71ae2c1f98e05d8f9c26e7466183
-
SHA512
9fbd73e6e85f6c85e18fd9477f6d798831de8495764b424224ee3dabd5d20654fef6826d32d553269eb28898b2ed0188d09d30ffe15937d5bf4e04d1fe314a5c
-
SSDEEP
192:IOjHx/GOuPoM3qkCAvMP78N4YIT3xBsx/RkSOAdsvtFcxNGf7C:LF/GOugWBZMPy4HL/4/rTsvtFHC
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 836 cmdbcs.exe -
Executes dropped EXE 1 IoCs
pid Process 836 cmdbcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmdbcs = "C:\\Windows\\cmdbcs.exe" cmdbcs.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\cmdbcs.dll cmdbcs.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\cmdbcs.exe 2125bf2b30050fb981357d998968ed50.exe File opened for modification C:\Windows\cmdbcs.exe 2125bf2b30050fb981357d998968ed50.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 836 cmdbcs.exe 836 cmdbcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4908 2125bf2b30050fb981357d998968ed50.exe Token: SeDebugPrivilege 836 cmdbcs.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4908 wrote to memory of 836 4908 2125bf2b30050fb981357d998968ed50.exe 92 PID 4908 wrote to memory of 836 4908 2125bf2b30050fb981357d998968ed50.exe 92 PID 4908 wrote to memory of 836 4908 2125bf2b30050fb981357d998968ed50.exe 92 PID 836 wrote to memory of 3532 836 cmdbcs.exe 42 PID 836 wrote to memory of 3532 836 cmdbcs.exe 42
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe"C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\cmdbcs.exeC:\Windows\cmdbcs.exe @C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe@49083⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD52125bf2b30050fb981357d998968ed50
SHA17152359f75b98e9eb96ef35ea720eeaf4c028b8a
SHA25634ac353f82317c69f040b864de17c8c7b23f71ae2c1f98e05d8f9c26e7466183
SHA5129fbd73e6e85f6c85e18fd9477f6d798831de8495764b424224ee3dabd5d20654fef6826d32d553269eb28898b2ed0188d09d30ffe15937d5bf4e04d1fe314a5c