34ac353f82317c69f040b864de17c8c7b23f71ae2c1f98e05d8f9c26e7466183

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2125bf2b30050fb981357d998968ed50.exe
Size

10KB
MD5

2125bf2b30050fb981357d998968ed50
SHA1

7152359f75b98e9eb96ef35ea720eeaf4c028b8a
SHA256

34ac353f82317c69f040b864de17c8c7b23f71ae2c1f98e05d8f9c26e7466183
SHA512

9fbd73e6e85f6c85e18fd9477f6d798831de8495764b424224ee3dabd5d20654fef6826d32d553269eb28898b2ed0188d09d30ffe15937d5bf4e04d1fe314a5c
SSDEEP

192:IOjHx/GOuPoM3qkCAvMP78N4YIT3xBsx/RkSOAdsvtFcxNGf7C:LF/GOugWBZMPy4HL/4/rTsvtFHC

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
836	cmdbcs.exe

Executes dropped EXE 1 IoCs

pid	Process
836	cmdbcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmdbcs = "C:\\Windows\\cmdbcs.exe"	cmdbcs.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cmdbcs.dll	cmdbcs.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\cmdbcs.exe	2125bf2b30050fb981357d998968ed50.exe
File opened for modification	C:\Windows\cmdbcs.exe	2125bf2b30050fb981357d998968ed50.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
836	cmdbcs.exe
836	cmdbcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	2125bf2b30050fb981357d998968ed50.exe
Token: SeDebugPrivilege	836	cmdbcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 836	4908	2125bf2b30050fb981357d998968ed50.exe	92
PID 4908 wrote to memory of 836	4908	2125bf2b30050fb981357d998968ed50.exe	92
PID 4908 wrote to memory of 836	4908	2125bf2b30050fb981357d998968ed50.exe	92
PID 836 wrote to memory of 3532	836	cmdbcs.exe	42
PID 836 wrote to memory of 3532	836	cmdbcs.exe	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe
  "C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\cmdbcs.exe
    C:\Windows\cmdbcs.exe @C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe@4908
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cmdbcs.exe

Filesize
10KB

MD5
2125bf2b30050fb981357d998968ed50

SHA1
7152359f75b98e9eb96ef35ea720eeaf4c028b8a

SHA256
34ac353f82317c69f040b864de17c8c7b23f71ae2c1f98e05d8f9c26e7466183

SHA512
9fbd73e6e85f6c85e18fd9477f6d798831de8495764b424224ee3dabd5d20654fef6826d32d553269eb28898b2ed0188d09d30ffe15937d5bf4e04d1fe314a5c

Download Submit
memory/836-6-0x00000000001C0000-0x0000000000200000-memory.dmp

Filesize
256KB

Download
memory/4908-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4908-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4908-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download