c1b7b9b40112990313552323d9ea4af03bbb17effcbf37079ddb43d6320833f8

Analysis

max time kernel
161s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 06:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2bd96ea95ec9763f9ad5846b09e79492.exe
Size

127KB
MD5

2bd96ea95ec9763f9ad5846b09e79492
SHA1

b2e3660fd386d32ca19093d659870ae72c898804
SHA256

c1b7b9b40112990313552323d9ea4af03bbb17effcbf37079ddb43d6320833f8
SHA512

da5e3b221f090719b8c17fb4eeb27e28c5875910fa3a601f1a6c8fe7af715db5f0c0d777786ec44881a6a8864b71f2f147d0b6429b799ccde44035da4aa094f4
SSDEEP

3072:tWIVzl1GSJLLpgmGj8g5ZQXMmwI+QXMmwI2l:gIVzl3LumGGMazMa2l

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
3192	DelBBCE.tmp

Executes dropped EXE 1 IoCs

pid	Process
3192	DelBBCE.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4864	3948	2bd96ea95ec9763f9ad5846b09e79492.exe	88
PID 3948 wrote to memory of 4864	3948	2bd96ea95ec9763f9ad5846b09e79492.exe	88
PID 3948 wrote to memory of 4864	3948	2bd96ea95ec9763f9ad5846b09e79492.exe	88
PID 4864 wrote to memory of 2340	4864	cmd.exe	93
PID 4864 wrote to memory of 2340	4864	cmd.exe	93
PID 4864 wrote to memory of 2340	4864	cmd.exe	93
PID 3948 wrote to memory of 3192	3948	2bd96ea95ec9763f9ad5846b09e79492.exe	94
PID 3948 wrote to memory of 3192	3948	2bd96ea95ec9763f9ad5846b09e79492.exe	94
PID 3948 wrote to memory of 3192	3948	2bd96ea95ec9763f9ad5846b09e79492.exe	94
PID 3192 wrote to memory of 1724	3192	DelBBCE.tmp	96
PID 3192 wrote to memory of 1724	3192	DelBBCE.tmp	96
PID 3192 wrote to memory of 1724	3192	DelBBCE.tmp	96
PID 1724 wrote to memory of 4236	1724	cmd.exe	97
PID 1724 wrote to memory of 4236	1724	cmd.exe	97
PID 1724 wrote to memory of 4236	1724	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\2bd96ea95ec9763f9ad5846b09e79492.exe
"C:\Users\Admin\AppData\Local\Temp\2bd96ea95ec9763f9ad5846b09e79492.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c a.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
    3⤵
    PID:2340
- C:\Users\Admin\AppData\Local\Temp\DelBBCE.tmp
  C:\Users\Admin\AppData\Local\Temp\DelBBCE.tmp 268 "C:\Users\Admin\AppData\Local\Temp\2bd96ea95ec9763f9ad5846b09e79492.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c a.vbs
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
      4⤵
      PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelBBCE.tmp

Filesize
127KB

MD5
2bd96ea95ec9763f9ad5846b09e79492

SHA1
b2e3660fd386d32ca19093d659870ae72c898804

SHA256
c1b7b9b40112990313552323d9ea4af03bbb17effcbf37079ddb43d6320833f8

SHA512
da5e3b221f090719b8c17fb4eeb27e28c5875910fa3a601f1a6c8fe7af715db5f0c0d777786ec44881a6a8864b71f2f147d0b6429b799ccde44035da4aa094f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
22KB

MD5
0a4899d7995aeb9b8263f62dcae31c0c

SHA1
d4f5dc941ffa15b07e73097d6dccd87ddfef2e22

SHA256
ce532ed99a85758250b49e3b422654068ac384b8c4951b8f2df97402e191a617

SHA512
ac3a445d8970b691fc9756a89ee590e6449dcd53334bf47c4fc4eb4f0445e767d0271e4cad43a4a286eb320709b63f381d4cd2c938ed5de8786fc0379478b4c5

Download Submit