ce461afb0e0a2383774adc783957d15f30711dcfba83e5fc801cb26385db0f09

General

Target

Patch_CNN.CLI.CL.23.00.00.10.exe
Size

17.7MB
MD5

374dfab5c8575d386382466bb2caf3e7
SHA1

a392b2e05fc6506fff64a2f4a682ded88d13d289
SHA256

ce461afb0e0a2383774adc783957d15f30711dcfba83e5fc801cb26385db0f09
SHA512

8bf0f3c0198f4d34faa0a29069b10a309e6ee1c8d86214053d7af3f966b19a96df7c09bb6f15ddbbdf9166ccfc8de5b3fde7c07a74d72f008073a8261c15f754
SSDEEP

393216:bBJ5NtmBK2gqybV/4w6WtJqTb/JvQaw2OC/xp1w7AdeYq+y+88ssfFPxyV8:rcBFgqybVwwttGD/OC/xMcAuy+889tPX

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Patch_CNN.CLI.CL.23.00.00.10.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Patch_CNN.CLI.CL.23.00.00.10.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Patch_CNN.CLI.CL.23.00.00.10.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Wine	Patch_CNN.CLI.CL.23.00.00.10.exe

Loads dropped DLL 1 IoCs

pid	Process
4588	Patch_CNN.CLI.CL.23.00.00.10.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Patch_CNN.CLI.CL.23.00.00.10.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4588	Patch_CNN.CLI.CL.23.00.00.10.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Bentley Shared\CONNECTION Client\Bentley.Connect.Client.Framework.dll	Patch_CNN.CLI.CL.23.00.00.10.exe
File created	C:\Program Files\Common Files\Bentley Shared\CONNECTION Client\LicService\Bentley.Licensing.CloudServices.Authentication.Client.dll	Patch_CNN.CLI.CL.23.00.00.10.exe
File opened for modification	C:\Program Files\Common Files\Bentley Shared\CONNECTION Client\LicService\Bentley.Licensing.CloudServices.Authentication.Client.dll	Patch_CNN.CLI.CL.23.00.00.10.exe
File created	C:\Program Files\Common Files\Bentley Shared\CONNECTION Client\LicService\Bentley.Licensing.LicenseManagement.dll	Patch_CNN.CLI.CL.23.00.00.10.exe
File opened for modification	C:\Program Files\Common Files\Bentley Shared\CONNECTION Client\LicService\Bentley.Licensing.LicenseManagement.dll	Patch_CNN.CLI.CL.23.00.00.10.exe
File created	C:\Program Files\Common Files\Bentley Shared\CONNECTION Client\Bentley.Connect.Client.Framework.dll	Patch_CNN.CLI.CL.23.00.00.10.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3628	taskkill.exe
4076	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
5052	PING.EXE
4648	PING.EXE
4420	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4588	Patch_CNN.CLI.CL.23.00.00.10.exe
4588	Patch_CNN.CLI.CL.23.00.00.10.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 2620	4588	Patch_CNN.CLI.CL.23.00.00.10.exe	103
PID 4588 wrote to memory of 2620	4588	Patch_CNN.CLI.CL.23.00.00.10.exe	103
PID 4588 wrote to memory of 2620	4588	Patch_CNN.CLI.CL.23.00.00.10.exe	103
PID 2620 wrote to memory of 4072	2620	cmd.exe	105
PID 2620 wrote to memory of 4072	2620	cmd.exe	105
PID 2620 wrote to memory of 4072	2620	cmd.exe	105
PID 2620 wrote to memory of 3048	2620	cmd.exe	106
PID 2620 wrote to memory of 3048	2620	cmd.exe	106
PID 2620 wrote to memory of 3048	2620	cmd.exe	106
PID 3048 wrote to memory of 4040	3048	net.exe	107
PID 3048 wrote to memory of 4040	3048	net.exe	107
PID 3048 wrote to memory of 4040	3048	net.exe	107
PID 2620 wrote to memory of 3628	2620	cmd.exe	108
PID 2620 wrote to memory of 3628	2620	cmd.exe	108
PID 2620 wrote to memory of 3628	2620	cmd.exe	108
PID 2620 wrote to memory of 4076	2620	cmd.exe	109
PID 2620 wrote to memory of 4076	2620	cmd.exe	109
PID 2620 wrote to memory of 4076	2620	cmd.exe	109
PID 2620 wrote to memory of 4648	2620	cmd.exe	110
PID 2620 wrote to memory of 4648	2620	cmd.exe	110
PID 2620 wrote to memory of 4648	2620	cmd.exe	110
PID 2620 wrote to memory of 4420	2620	cmd.exe	111
PID 2620 wrote to memory of 4420	2620	cmd.exe	111
PID 2620 wrote to memory of 4420	2620	cmd.exe	111
PID 2620 wrote to memory of 5052	2620	cmd.exe	112
PID 2620 wrote to memory of 5052	2620	cmd.exe	112
PID 2620 wrote to memory of 5052	2620	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\Patch_CNN.CLI.CL.23.00.00.10.exe
"C:\Users\Admin\AppData\Local\Temp\Patch_CNN.CLI.CL.23.00.00.10.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\scc.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\mode.com
    mode CON: COLS=84 LINES=5
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\net.exe
    NET FILE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 FILE
      4⤵
      PID:4040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Bentley.Licensing.Service.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /T /IM Bentley.Connect.Client.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 -w 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4648
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 -w 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4420
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 -w 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
15.8MB

MD5
d7168ab72d50982859dbab6782488c8f

SHA1
e01ad884935f1ec4963025e4f5688b3d1e3d0728

SHA256
116016985a4004050ea6c2cb7987598a952cd128ed5709bd252942022c209065

SHA512
e84e9a17e8ae5fad59cb05b788bf4ecfe1d0180950cd29245f88482704ebb8acf3240e6a4bfd6de78ba5c56145e5cb78ef730f5646e8e434b378d68cd60ffb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scc.cmd

Filesize
2KB

MD5
2d183c3162cfda28310d6d68dfeac40d

SHA1
490a0766cba46f4e70a6b161540681cfb4cc28b2

SHA256
059cc52b0f09294c0473fbd4e0b0c05cc4166d5aaa1218efe56d24ff0fa24eed

SHA512
57f05dbf7b39a1f7423f7c1824dd9a85b0edf313692bd3871da625b3b1d4d1b5689e0ec2c315ca51d8f82720024186749b5f1317a61ed84721bb38705a2888aa

Download Submit
memory/4588-10-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-11-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-4-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-5-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-6-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-7-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-8-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-9-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-0-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-3-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-12-0x00000000082A0000-0x00000000082A1000-memory.dmp

Filesize
4KB

Download
memory/4588-2-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-15-0x0000000008BB0000-0x0000000008BB1000-memory.dmp

Filesize
4KB

Download
memory/4588-18-0x0000000073820000-0x00000000747FF000-memory.dmp

Filesize
15.9MB

Download
memory/4588-19-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-1-0x00000000772B4000-0x00000000772B6000-memory.dmp

Filesize
8KB

Download
memory/4588-24-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-31-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-32-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download
memory/4588-34-0x00000000005D0000-0x0000000001A91000-memory.dmp

Filesize
20.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads