Overview

overview

10

Static

static

3

CS2 Bebra ...HM.exe

windows10-2004-x64

8

CS2 Bebra ...a_.dll

windows10-2004-x64

10

CS2 Bebra ...ov.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    81s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CS2 Bebra Changer/PyuBCoF1HM.exe

  • Size

    42KB

  • MD5

    064f764fd8be73761b0f92e23752f0a9

  • SHA1

    ca2065549043b525987690d04b02ff414565a3c7

  • SHA256

    efb25224067d604503f33039b5867896793e7e3e88ca2d792593283837119687

  • SHA512

    080947f458bf01b00b4226a211b849dc1e1b839346bebc50ab84258fa18470172852e6557899f005611f64d25e3d6197ee0251b0a2184264c68d10ed6185d666

  • SSDEEP

    768:os3Tb75VkpYrhWoK8wJPJRlNhSP00oZTzvIffkRswMyJXXN2+tZGHZch37g/4:os/gPJ7NhSP00oZYffkRvMSPZdgg

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CS2 Bebra Changer\PyuBCoF1HM.exe
    "C:\Users\Admin\AppData\Local\Temp\CS2 Bebra Changer\PyuBCoF1HM.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    PID:3976
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:368
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\SysWOW64\unregmp2.exe
          C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\system32\unregmp2.exe
            "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
            4⤵
            • Modifies Installed Components in the registry
            • Drops desktop.ini file(s)
            • Drops file in Program Files directory
            • Modifies registry class
            PID:880
        • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
          "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Downloads\MergeEdit.wax
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2288
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          3⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:2708
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
      1⤵
      • Drops file in Windows directory
      PID:3352
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MergeStop.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:4756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      64KB

      MD5

      987a07b978cfe12e4ce45e513ef86619

      SHA1

      22eec9a9b2e83ad33bedc59e3205f86590b7d40c

      SHA256

      f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

      SHA512

      39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      1024KB

      MD5

      a507440752731466f8604024fd678801

      SHA1

      3341a8fc7f2395e11991b8fb99498b6934553008

      SHA256

      e627167447b543db8e2cb533e14592ca74e3c36c60063f2b750d30a2787edf9c

      SHA512

      4bd2b0413ddc8386bb652fb5fce27cbb82c4aabf654ea63c264916d04b29d327477e6829a76c489334f0fec556c3701f4e2fe5f0904d3a92cb71e5ea2b7d8c52

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
      Filesize

      1KB

      MD5

      4b87ceaf8ea5d848df60d22dd0052127

      SHA1

      6cb04494fb11c03f96cf9d0ab9defd697490bf84

      SHA256

      00e681898a9b89d014be52b493989b71222e5e5201d4c7f06c04acf07b716546

      SHA512

      54ef7ed778f0f79a485abc9cb0f150f095b1c1b76cff114f16cb4964cf164b9305237bb2ed1cf2911cabedd8a2f8b044e7bc5ca7d39484fdc18de0c6c575d34f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
      Filesize

      2KB

      MD5

      00071b2642fa03923cd17699a9632788

      SHA1

      f1372632b1bfad7ed65d552c8a2e8e00d3af09df

      SHA256

      5b26d886b76eb859498689e915c824897c056e558c84e6991cf6e8e4ccd331c0

      SHA512

      af69ef404fe1bcd46a40e972daae4a8cff36c8f1aea2cc2b75d11c337fb45163fb178f68485c7e2abf651698966af416cfad7c57191d33e29197b254836de46f

      Download Submit