Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 00:32
Static task
static1
Behavioral task
behavioral1
Sample
85759cab4b9689dd558be1feb11a5151.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
85759cab4b9689dd558be1feb11a5151.exe
Resource
win10v2004-20231215-en
General
-
Target
85759cab4b9689dd558be1feb11a5151.exe
-
Size
317KB
-
MD5
85759cab4b9689dd558be1feb11a5151
-
SHA1
42e2b6e2b8ce15bbdb86211b001a7a8fdae9fbfb
-
SHA256
e4b30c794c05314113eebc2a0efe254e6c2fdffc13cd34968c18b4632e82bcfd
-
SHA512
665475041da96dfe43a584f726e020408dce134d5877244cf82056454b7874b5852a553071dd93b1a39859af11217fadfbd60f5dbe5c3e496ec4dad7183163de
-
SSDEEP
6144:yQr5j/9N0284TMmEiH8VNhNYbm343qRdhZg3hWFXmtpnATQIi:tR0kTMZiHQNYbr3qRd4R5t1Ao
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
pBcOb07003.exepid process 612 pBcOb07003.exe -
Executes dropped EXE 1 IoCs
Processes:
pBcOb07003.exepid process 612 pBcOb07003.exe -
Loads dropped DLL 2 IoCs
Processes:
85759cab4b9689dd558be1feb11a5151.exepid process 2208 85759cab4b9689dd558be1feb11a5151.exe 2208 85759cab4b9689dd558be1feb11a5151.exe -
Processes:
resource yara_rule behavioral1/memory/2208-1-0x0000000000400000-0x00000000005B5000-memory.dmp upx behavioral1/memory/612-14-0x0000000000400000-0x00000000005B5000-memory.dmp upx behavioral1/memory/2208-18-0x0000000000400000-0x00000000005B5000-memory.dmp upx behavioral1/memory/612-19-0x0000000000400000-0x00000000005B5000-memory.dmp upx behavioral1/memory/2208-20-0x0000000000400000-0x00000000005B5000-memory.dmp upx behavioral1/memory/612-26-0x0000000000400000-0x00000000005B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pBcOb07003.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pBcOb07003 = "C:\\ProgramData\\pBcOb07003\\pBcOb07003.exe" pBcOb07003.exe -
Processes:
pBcOb07003.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main pBcOb07003.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
85759cab4b9689dd558be1feb11a5151.exepBcOb07003.exepid process 2208 85759cab4b9689dd558be1feb11a5151.exe 2208 85759cab4b9689dd558be1feb11a5151.exe 612 pBcOb07003.exe 612 pBcOb07003.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
85759cab4b9689dd558be1feb11a5151.exepBcOb07003.exedescription pid process Token: SeDebugPrivilege 2208 85759cab4b9689dd558be1feb11a5151.exe Token: SeDebugPrivilege 612 pBcOb07003.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pBcOb07003.exepid process 612 pBcOb07003.exe 612 pBcOb07003.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pBcOb07003.exepid process 612 pBcOb07003.exe 612 pBcOb07003.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pBcOb07003.exepid process 612 pBcOb07003.exe 612 pBcOb07003.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
85759cab4b9689dd558be1feb11a5151.exedescription pid process target process PID 2208 wrote to memory of 612 2208 85759cab4b9689dd558be1feb11a5151.exe pBcOb07003.exe PID 2208 wrote to memory of 612 2208 85759cab4b9689dd558be1feb11a5151.exe pBcOb07003.exe PID 2208 wrote to memory of 612 2208 85759cab4b9689dd558be1feb11a5151.exe pBcOb07003.exe PID 2208 wrote to memory of 612 2208 85759cab4b9689dd558be1feb11a5151.exe pBcOb07003.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85759cab4b9689dd558be1feb11a5151.exe"C:\Users\Admin\AppData\Local\Temp\85759cab4b9689dd558be1feb11a5151.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\pBcOb07003\pBcOb07003.exe"C:\ProgramData\pBcOb07003\pBcOb07003.exe" "C:\Users\Admin\AppData\Local\Temp\85759cab4b9689dd558be1feb11a5151.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\pBcOb07003\pBcOb07003.exeFilesize
317KB
MD5c246be0c6b512e8f0f3b46f97d1f7451
SHA15eb887517afc7aa425ca02bcef24d033178796c5
SHA25622b9fd33156ba8695803665ff815af16d4c4dfac7dba34f19e2ea096d3ac44d6
SHA512e19873c15e0ff6f4d3ca0596d7e176f015f6d36b58abfedc48fae50095f522e666ab2e0d7ad5757c2f2f3cc23a89eb4b8d664e71bb24d0f471ed047f034f4a8d
-
memory/612-14-0x0000000000400000-0x00000000005B5000-memory.dmpFilesize
1.7MB
-
memory/612-19-0x0000000000400000-0x00000000005B5000-memory.dmpFilesize
1.7MB
-
memory/612-26-0x0000000000400000-0x00000000005B5000-memory.dmpFilesize
1.7MB
-
memory/2208-0-0x0000000000250000-0x000000000029D000-memory.dmpFilesize
308KB
-
memory/2208-1-0x0000000000400000-0x00000000005B5000-memory.dmpFilesize
1.7MB
-
memory/2208-18-0x0000000000400000-0x00000000005B5000-memory.dmpFilesize
1.7MB
-
memory/2208-20-0x0000000000400000-0x00000000005B5000-memory.dmpFilesize
1.7MB