bb5cb6ed65c820bd07a2c6cbfb33ecd32eb99311a80d6d62258068761066a661

General

Target

388d1446ca00eefb1acf69280bc536d9.exe
Size

84KB
MD5

388d1446ca00eefb1acf69280bc536d9
SHA1

6d1031c576c9457e8a6b5409928622f91201b221
SHA256

bb5cb6ed65c820bd07a2c6cbfb33ecd32eb99311a80d6d62258068761066a661
SHA512

aafc3d83283126a79996414e0433ddce15d098fc09c521817a43b758dbf764a20e35928ac4277897063fd63a1553a8e78a4ba84c753a22e39a1fc014b95d3b4e
SSDEEP

1536:yiftS2sECvf75ggVKn4SeWF+JqNa/OTm7lKmPaUclT5fWrlJhWT8L1SpBNKDwT46:JS2sRTiiKnSzJwuOTLwFw5soT8IB4Dwz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2216	loader.exe
3064	install.exe
3056	4BNB5.exe

Loads dropped DLL 12 IoCs

pid	Process
1044	388d1446ca00eefb1acf69280bc536d9.exe
1044	388d1446ca00eefb1acf69280bc536d9.exe
1044	388d1446ca00eefb1acf69280bc536d9.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
1044	388d1446ca00eefb1acf69280bc536d9.exe
1044	388d1446ca00eefb1acf69280bc536d9.exe
3064	install.exe
3064	install.exe
3064	install.exe
3048	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\braviax = "C:\\Windows\\system32\\braviax.exe"	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\braviax = "C:\\Windows\\system32\\braviax.exe"	install.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\braviax.exe	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3048	2216	WerFault.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2216	1044	388d1446ca00eefb1acf69280bc536d9.exe	22
PID 1044 wrote to memory of 2216	1044	388d1446ca00eefb1acf69280bc536d9.exe	22
PID 1044 wrote to memory of 2216	1044	388d1446ca00eefb1acf69280bc536d9.exe	22
PID 1044 wrote to memory of 2216	1044	388d1446ca00eefb1acf69280bc536d9.exe	22
PID 2216 wrote to memory of 3048	2216	loader.exe	21
PID 2216 wrote to memory of 3048	2216	loader.exe	21
PID 2216 wrote to memory of 3048	2216	loader.exe	21
PID 2216 wrote to memory of 3048	2216	loader.exe	21
PID 1044 wrote to memory of 3064	1044	388d1446ca00eefb1acf69280bc536d9.exe	17
PID 1044 wrote to memory of 3064	1044	388d1446ca00eefb1acf69280bc536d9.exe	17
PID 1044 wrote to memory of 3064	1044	388d1446ca00eefb1acf69280bc536d9.exe	17
PID 1044 wrote to memory of 3064	1044	388d1446ca00eefb1acf69280bc536d9.exe	17
PID 1044 wrote to memory of 3064	1044	388d1446ca00eefb1acf69280bc536d9.exe	17
PID 1044 wrote to memory of 3064	1044	388d1446ca00eefb1acf69280bc536d9.exe	17
PID 1044 wrote to memory of 3064	1044	388d1446ca00eefb1acf69280bc536d9.exe	17
PID 1044 wrote to memory of 3056	1044	388d1446ca00eefb1acf69280bc536d9.exe	20
PID 1044 wrote to memory of 3056	1044	388d1446ca00eefb1acf69280bc536d9.exe	20
PID 1044 wrote to memory of 3056	1044	388d1446ca00eefb1acf69280bc536d9.exe	20
PID 1044 wrote to memory of 3056	1044	388d1446ca00eefb1acf69280bc536d9.exe	20

C:\Users\Admin\AppData\Local\Temp\388d1446ca00eefb1acf69280bc536d9.exe
"C:\Users\Admin\AppData\Local\Temp\388d1446ca00eefb1acf69280bc536d9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "
    3⤵
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\4BNB5.exe
  "C:\Users\Admin\AppData\Local\Temp\4BNB5.exe"
  2⤵
  - Executes dropped EXE
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    /c del /f C:\Users\Admin\AppData\Local\Temp\4BNB5.exe.bak >> NUL
    3⤵
    PID:1192
- - C:\ProgramData\atshkbsd\wpqzgtyn.exe
    C:\ProgramData\atshkbsd\wpqzgtyn.exe
    3⤵
    PID:272
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 88
1⤵
- Loads dropped DLL
- Program crash
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
15KB

MD5
2d4523c5ad2afcc60883b68798383a97

SHA1
3da181e958cde4f1d93d60d38e9a82b14da60dab

SHA256
90d322eb71b867fcc4b6002ec8b8a23eebf0ce687f9665aea74e3852052ef932

SHA512
155bf04b4a7b1fac621c26bd896589730f569b4ffc1565f283751d999a3ac87b661b15f08a5e1d01b4ce18c11345e1e2d6df38096d103ff260a783fac009b9e1

Download Submit
memory/3064-34-0x00000000002A0000-0x00000000002A9000-memory.dmp

Filesize
36KB

Download
memory/3064-42-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads