e4b30c794c05314113eebc2a0efe254e6c2fdffc13cd34968c18b4632e82bcfd

General

Target

85759cab4b9689dd558be1feb11a5151.exe
Size

317KB
MD5

85759cab4b9689dd558be1feb11a5151
SHA1

42e2b6e2b8ce15bbdb86211b001a7a8fdae9fbfb
SHA256

e4b30c794c05314113eebc2a0efe254e6c2fdffc13cd34968c18b4632e82bcfd
SHA512

665475041da96dfe43a584f726e020408dce134d5877244cf82056454b7874b5852a553071dd93b1a39859af11217fadfbd60f5dbe5c3e496ec4dad7183163de
SSDEEP

6144:yQr5j/9N0284TMmEiH8VNhNYbm343qRdhZg3hWFXmtpnATQIi:tR0kTMZiHQNYbr3qRd4R5t1Ao

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

pBcOb07003.exe

pid process

612 pBcOb07003.exe
Executes dropped EXE 1 IoCs

Processes:

pBcOb07003.exe

pid process

612 pBcOb07003.exe
Loads dropped DLL 2 IoCs

Processes:

85759cab4b9689dd558be1feb11a5151.exe

pid process

2208 85759cab4b9689dd558be1feb11a5151.exe
2208 85759cab4b9689dd558be1feb11a5151.exe

pid	process
612	pBcOb07003.exe

pid	process
612	pBcOb07003.exe

pid	process
2208	85759cab4b9689dd558be1feb11a5151.exe
2208	85759cab4b9689dd558be1feb11a5151.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2208-1-0x0000000000400000-0x00000000005B5000-memory.dmp	upx
behavioral1/memory/612-14-0x0000000000400000-0x00000000005B5000-memory.dmp	upx
behavioral1/memory/2208-18-0x0000000000400000-0x00000000005B5000-memory.dmp	upx
behavioral1/memory/612-19-0x0000000000400000-0x00000000005B5000-memory.dmp	upx
behavioral1/memory/2208-20-0x0000000000400000-0x00000000005B5000-memory.dmp	upx
behavioral1/memory/612-26-0x0000000000400000-0x00000000005B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pBcOb07003.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pBcOb07003 = "C:\\ProgramData\\pBcOb07003\\pBcOb07003.exe"	pBcOb07003.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

pBcOb07003.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main pBcOb07003.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

85759cab4b9689dd558be1feb11a5151.exepBcOb07003.exe

pid process

2208 85759cab4b9689dd558be1feb11a5151.exe
2208 85759cab4b9689dd558be1feb11a5151.exe
612 pBcOb07003.exe
612 pBcOb07003.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

85759cab4b9689dd558be1feb11a5151.exepBcOb07003.exe

description pid process

Token: SeDebugPrivilege 2208 85759cab4b9689dd558be1feb11a5151.exe
Token: SeDebugPrivilege 612 pBcOb07003.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pBcOb07003.exe

pid process

612 pBcOb07003.exe
612 pBcOb07003.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pBcOb07003.exe

pid process

612 pBcOb07003.exe
612 pBcOb07003.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pBcOb07003.exe

pid process

612 pBcOb07003.exe
612 pBcOb07003.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	pBcOb07003.exe

pid	process
2208	85759cab4b9689dd558be1feb11a5151.exe
2208	85759cab4b9689dd558be1feb11a5151.exe
612	pBcOb07003.exe
612	pBcOb07003.exe

description	pid	process
Token: SeDebugPrivilege	2208	85759cab4b9689dd558be1feb11a5151.exe
Token: SeDebugPrivilege	612	pBcOb07003.exe

pid	process
612	pBcOb07003.exe
612	pBcOb07003.exe

pid	process
612	pBcOb07003.exe
612	pBcOb07003.exe

pid	process
612	pBcOb07003.exe
612	pBcOb07003.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

85759cab4b9689dd558be1feb11a5151.exe

description	pid	process	target process
PID 2208 wrote to memory of 612	2208	85759cab4b9689dd558be1feb11a5151.exe	pBcOb07003.exe
PID 2208 wrote to memory of 612	2208	85759cab4b9689dd558be1feb11a5151.exe	pBcOb07003.exe
PID 2208 wrote to memory of 612	2208	85759cab4b9689dd558be1feb11a5151.exe	pBcOb07003.exe
PID 2208 wrote to memory of 612	2208	85759cab4b9689dd558be1feb11a5151.exe	pBcOb07003.exe

C:\Users\Admin\AppData\Local\Temp\85759cab4b9689dd558be1feb11a5151.exe
"C:\Users\Admin\AppData\Local\Temp\85759cab4b9689dd558be1feb11a5151.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\ProgramData\pBcOb07003\pBcOb07003.exe
"C:\ProgramData\pBcOb07003\pBcOb07003.exe" "C:\Users\Admin\AppData\Local\Temp\85759cab4b9689dd558be1feb11a5151.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\pBcOb07003\pBcOb07003.exe
Filesize
317KB

MD5
c246be0c6b512e8f0f3b46f97d1f7451

SHA1
5eb887517afc7aa425ca02bcef24d033178796c5

SHA256
22b9fd33156ba8695803665ff815af16d4c4dfac7dba34f19e2ea096d3ac44d6

SHA512
e19873c15e0ff6f4d3ca0596d7e176f015f6d36b58abfedc48fae50095f522e666ab2e0d7ad5757c2f2f3cc23a89eb4b8d664e71bb24d0f471ed047f034f4a8d

Download Submit
memory/612-14-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/612-19-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/612-26-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2208-0-0x0000000000250000-0x000000000029D000-memory.dmp

Filesize
308KB

Download
memory/2208-1-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2208-18-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2208-20-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads