47442c5eb7288045c7f563ae85be598ca5b23f28c3c5847e34427dcdf97702eb

Analysis

max time kernel
145s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

541f15e3fba33c80185ea26d83a2965e.exe
Size

308KB
MD5

541f15e3fba33c80185ea26d83a2965e
SHA1

b7cbdb88a700ec602ce631d0ae7420b7d438e007
SHA256

47442c5eb7288045c7f563ae85be598ca5b23f28c3c5847e34427dcdf97702eb
SHA512

a242de3606bef0353d514ab536c69aee1430e72effefe371c20b77254415a6eb0151ce5261de4a7d0ec0e9c213404e1b6c6a78d184362bbe82a519d244f54450
SSDEEP

3072:sYMncAUg+goK24ecoNJKNNSf9cqNGqb4WG326a6FEBYR4udPfS:sYMnWg1yENNSl6qnGXtFE+R4cPa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4420	bcpuut.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
684	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2500	1616	541f15e3fba33c80185ea26d83a2965e.exe	20
PID 1616 wrote to memory of 2500	1616	541f15e3fba33c80185ea26d83a2965e.exe	20
PID 1616 wrote to memory of 2500	1616	541f15e3fba33c80185ea26d83a2965e.exe	20
PID 2500 wrote to memory of 4420	2500	cmd.exe	19
PID 2500 wrote to memory of 4420	2500	cmd.exe	19
PID 2500 wrote to memory of 4420	2500	cmd.exe	19
PID 2500 wrote to memory of 684	2500	cmd.exe	17
PID 2500 wrote to memory of 684	2500	cmd.exe	17
PID 2500 wrote to memory of 684	2500	cmd.exe	17

C:\Users\Admin\AppData\Local\Temp\541f15e3fba33c80185ea26d83a2965e.exe
"C:\Users\Admin\AppData\Local\Temp\541f15e3fba33c80185ea26d83a2965e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\izmzhsh.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
1⤵
- Runs ping.exe
PID:684

C:\Users\Admin\AppData\Local\Temp\bcpuut.exe
"C:\Users\Admin\AppData\Local\Temp\bcpuut.exe"
1⤵
- Executes dropped EXE
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bcpuut.exe

Filesize
184KB

MD5
cf7aed1a3288ff24894f8005dad7e271

SHA1
200878b3fef662cad326ce9b3d9d8be1a5d11c84

SHA256
cb70045244c36f532e5f9a4870ab3de2412ae17a75e615d8bb28e4224977477f

SHA512
c1aebd01d9f4e5092ce5f9c0e9e979913c950037038c7e77ef904d9a2efb44af22c4022f5b9a1198a6a2191dd0fdc856f653c2ebf90be020968ff1c6e989de1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqhlei.bat

Filesize
156B

MD5
eb0df5acdf28398ecf1ee944ec324c86

SHA1
567d7f69320e9f5dafc03b3292ee426f1d88161c

SHA256
4ed404433e97388105bf8c2263d6d23bf6d22e47341afb9d2062862b455ae24d

SHA512
270cef0a01044aa16d7ebbb5127aaf6733144011fc8c1aa7488dc6369b867a42f3ed9cf32ac5a841e00e1707bbc8f9d20d6266bc460675f9e342540ba24b6407

Download Submit
C:\Users\Admin\AppData\Local\Temp\izmzhsh.bat

Filesize
124B

MD5
0bfe4fc51a592bbca3fdfcb0030cbdcc

SHA1
55fab89020152c955ba3dd132cd17508275e3303

SHA256
699b7429cf3a3f02ee6cb0c1cb44ad3553219f8e47a1c61704dd70ad3e92f7f0

SHA512
3618ec9502c1d4c83b1150389decdbe7b1f2d6aecaeafcf4406f673eb908781cca01ac0a84b7b5d0ccf0569869367eda31e33addc535149b5e7c2e9616f48e8b

Download Submit