300fe6224578b1254a43444f7e1783dd608a6c065d4e6089e7560e719fc787b2

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

itadx.exe
Size

649KB
MD5

5e39f718790c8ab61b5fda0607ab046b
SHA1

be58a7d81bec145e61b291b9ba07d153b17fdb1d
SHA256

40a4758940e1bce888e96d4aa27c24032805a41700d5a0af5bddc174e247c683
SHA512

f08366a667eff30a3cb95f5ce37b712c55cbd251449eed0db24fee39f1a412d4924371db7444478fee7d5ee56a1835f5165bd2772fe7a97d3d94d1d96feed67e
SSDEEP

12288:L2qoY5sffWpiTHkfRvEwhc5Yh9gH1NcMRoNvia9N0HFW+DgnhLvLQ9WVB57:1GA0HkpvEwh2Yng8MRoAcCfghLLQ9OBV

Score

7^/10

aspackv2 persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files (x86)\bckmsn\mpvisdm.dll	acprotect
\Program Files (x86)\bckmsn\mpvisdm.dll	acprotect

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Program Files (x86)\bckmsn\bckmsn.exe	aspack_v212_v242
\Program Files (x86)\bckmsn\bckmsn.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

bckmsn.exe

pid process

2700 bckmsn.exe
Loads dropped DLL 6 IoCs

Processes:

itadx.exebckmsn.exe

pid process

1044 itadx.exe
1044 itadx.exe
2700 bckmsn.exe
2700 bckmsn.exe
2700 bckmsn.exe
2700 bckmsn.exe

pid	process
2700	bckmsn.exe

pid	process
1044	itadx.exe
1044	itadx.exe
2700	bckmsn.exe
2700	bckmsn.exe
2700	bckmsn.exe
2700	bckmsn.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral13/memory/1044-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral13/memory/1044-16-0x0000000000400000-0x0000000000423000-memory.dmp	upx
C:\Program Files (x86)\bckmsn\mpvisdm.dll	upx
\Program Files (x86)\bckmsn\mpvisdm.dll	upx
behavioral13/memory/2700-25-0x0000000010000000-0x00000000100FD000-memory.dmp	upx
behavioral13/memory/2700-28-0x0000000010000000-0x00000000100FD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bckmsn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bckmsn = "C:\\Program Files (x86)\\bckmsn\\bckmsn.exe"	bckmsn.exe

Drops file in Program Files directory 7 IoCs

Processes:

itadx.exebckmsn.exe

description	ioc	process
File created	C:\Program Files (x86)\bckmsn\mpvisdm.dll	itadx.exe
File opened for modification	C:\Program Files (x86)\bckmsn\mpvisdm.dll	itadx.exe
File created	C:\PROGRA~2\bckmsn\200~1.1\dmplayer.dll	bckmsn.exe
File created	C:\Program Files (x86)\bckmsn\info.dat	bckmsn.exe
File opened for modification	C:\Program Files (x86)\bckmsn	itadx.exe
File created	C:\Program Files (x86)\bckmsn\bckmsn.exe	itadx.exe
File opened for modification	C:\Program Files (x86)\bckmsn\bckmsn.exe	itadx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

itadx.exe

description pid process

Token: SeRestorePrivilege 1044 itadx.exe
Token: SeBackupPrivilege 1044 itadx.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bckmsn.exe

pid process

2700 bckmsn.exe
2700 bckmsn.exe

description	pid	process
Token: SeRestorePrivilege	1044	itadx.exe
Token: SeBackupPrivilege	1044	itadx.exe

pid	process
2700	bckmsn.exe
2700	bckmsn.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

itadx.exe

description	pid	process	target process
PID 1044 wrote to memory of 2700	1044	itadx.exe	bckmsn.exe
PID 1044 wrote to memory of 2700	1044	itadx.exe	bckmsn.exe
PID 1044 wrote to memory of 2700	1044	itadx.exe	bckmsn.exe
PID 1044 wrote to memory of 2700	1044	itadx.exe	bckmsn.exe
PID 1044 wrote to memory of 2700	1044	itadx.exe	bckmsn.exe
PID 1044 wrote to memory of 2700	1044	itadx.exe	bckmsn.exe
PID 1044 wrote to memory of 2700	1044	itadx.exe	bckmsn.exe

C:\Users\Admin\AppData\Local\Temp\itadx.exe
"C:\Users\Admin\AppData\Local\Temp\itadx.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Program Files (x86)\bckmsn\bckmsn.exe
"C:\Program Files (x86)\bckmsn\bckmsn.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\bckmsn\info.dat
Filesize
4KB

MD5
b879cab8736199a150f07f551dfc8f2f

SHA1
f09ab4bbd42bbc80d5ea7f1c44b2cb54c3541018

SHA256
ef6a059c7165ad3bc6060965eb3440544066c10f920045be0a3793970a8843e1

SHA512
7a390cd4ef77f1c1685a9d584873e22288ee4fbe7d64d42b2aff3ccc9a307eea6cc4348798bea64e84dd861c77adb0081c9d1b494fe87d405505a92637f92acf

Download Submit
C:\Program Files (x86)\bckmsn\mpvisdm.dll
Filesize
311KB

MD5
4b1f8834f9dc17e732af9807581b5939

SHA1
1ff447e62a3f90560f6778da74131bc0b1ae769c

SHA256
2984d7361bbb36e590b9afd7fd59b96fedf737f72858b80ac84287c6509c58be

SHA512
f6c2434d738bc58304cb7a56ff9cf701b701845cab726f375616205c3acf213b0c3d1838346aad186ff47b89ab5fc6b5b31d72cdfd2204f24254e6a46fffbbf4

Download Submit
\Program Files (x86)\bckmsn\bckmsn.exe
Filesize
164KB

MD5
2eb336f8aeca2aab40505d039f3a6a8a

SHA1
a2e5889115701a1363dd43ca9d2b535955554968

SHA256
d05cbe888d7929e4db64f0b88235413f0f9163363f534bbe17e0b24f40af9b04

SHA512
b89e02b862d5a81f71b267697410e0f2b52409006db27300e3483bcf65630ac9a8fd4c7976ce18dfd1c27f9440bda76b4157bfaac291aa7fc524f53f9e5298b2

Download Submit
\Program Files (x86)\bckmsn\bckmsn.exe
Filesize
237KB

MD5
ef5ec12bc67a3391646e48810dd2bab4

SHA1
b57e0aa8ade39642f454c1a179be4ff94f427702

SHA256
5fcaee3ea4ff2b50085af85f3ddd7ae9cdcebcb7a819c5b5d744fbe91a4293ae

SHA512
504702736ced85c8ca01fd7f36a5cc30706254b5fecdb45c05f494d3130f6af08ebc468923aa89a0f95b7b9091f3aa390ff2d5cc5378bedceaef9b4cdd46fcf0

Download Submit
\Program Files (x86)\bckmsn\mpvisdm.dll
Filesize
192KB

MD5
248d3f87bfd9eb7141a01548c1135635

SHA1
0a2f42b8d85ff91879792adbc0251df584a10c0f

SHA256
7bc32f6c9a3e8d7ea28f356d492172b59236366b3c5a3fd5dc72200dbe92e44d

SHA512
5e79ad47b1a9536f990653453f7601a6ef36232e059e0b1a6ebbb907888e1589185357c618b77688c9e8bf3cfe532f1227596dbd6b6538f63c3910c62ac4f934

Download Submit
memory/1044-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1044-3-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/1044-21-0x00000000001D0000-0x00000000001DD000-memory.dmp

Filesize
52KB

Download
memory/1044-2-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/1044-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1044-1-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2700-25-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2700-27-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2700-28-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/2700-35-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download