3a5248a9ba387b9456ba8d9d99b202326a573f7aea545d3dccbedbb0d173f72e

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

564a6bd9ed69acc9ba852037bec05b4c.exe
Size

18KB
MD5

564a6bd9ed69acc9ba852037bec05b4c
SHA1

fbb77777366ba1c424f323afdb640cc37a049a10
SHA256

3a5248a9ba387b9456ba8d9d99b202326a573f7aea545d3dccbedbb0d173f72e
SHA512

c9f1e39e920498678a794844cd3d38b5f79588f4ea8dcada4032cc12ec7826bba80ab0be3e1fe245b8a03e7b37d68ea485a5d2ff8220d822468dc1a72e66b2f7
SSDEEP

384:23OVkPHGuyf1l2K+X420GwoDMTyZ1RHLN1ccz:KPHGuy9j242hUW31cc

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
708	cmdbcs.exe

Executes dropped EXE 1 IoCs

pid	Process
708	cmdbcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmdbcs = "C:\\Windows\\cmdbcs.exe"	cmdbcs.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cmdbcs.dll	cmdbcs.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\cmdbcs.exe	564a6bd9ed69acc9ba852037bec05b4c.exe
File opened for modification	C:\Windows\cmdbcs.exe	564a6bd9ed69acc9ba852037bec05b4c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
708	cmdbcs.exe
708	cmdbcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	564a6bd9ed69acc9ba852037bec05b4c.exe
Token: SeDebugPrivilege	708	cmdbcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 708	3988	564a6bd9ed69acc9ba852037bec05b4c.exe	88
PID 3988 wrote to memory of 708	3988	564a6bd9ed69acc9ba852037bec05b4c.exe	88
PID 3988 wrote to memory of 708	3988	564a6bd9ed69acc9ba852037bec05b4c.exe	88
PID 708 wrote to memory of 3424	708	cmdbcs.exe	44
PID 708 wrote to memory of 3424	708	cmdbcs.exe	44

C:\Users\Admin\AppData\Local\Temp\564a6bd9ed69acc9ba852037bec05b4c.exe
"C:\Users\Admin\AppData\Local\Temp\564a6bd9ed69acc9ba852037bec05b4c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\cmdbcs.exe
  C:\Windows\cmdbcs.exe @C:\Users\Admin\AppData\Local\Temp\564a6bd9ed69acc9ba852037bec05b4c.exe@3988
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:708

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cmdbcs.exe

Filesize
18KB

MD5
564a6bd9ed69acc9ba852037bec05b4c

SHA1
fbb77777366ba1c424f323afdb640cc37a049a10

SHA256
3a5248a9ba387b9456ba8d9d99b202326a573f7aea545d3dccbedbb0d173f72e

SHA512
c9f1e39e920498678a794844cd3d38b5f79588f4ea8dcada4032cc12ec7826bba80ab0be3e1fe245b8a03e7b37d68ea485a5d2ff8220d822468dc1a72e66b2f7

Download Submit