f256637308860a3a1e4367f6546f5615bbd2d49ac12595ec884ed5979f9fc5b7

General

Target

BGA2Editor.exe
Size

5.2MB
MD5

dc183625a6758b99a7b64dc2d62e11cb
SHA1

68ecb6ab59d4bdea7cf02abd5ca0a06718ae6ae7
SHA256

f256637308860a3a1e4367f6546f5615bbd2d49ac12595ec884ed5979f9fc5b7
SHA512

27669d63203395bba527a25ea790cc2d66b835e1ec8fc8c70569d16b799681a112f4385a0885383b7904e3749fd8493ad8bbf42c2df1a3c36eaf0628638e5786
SSDEEP

98304:PlJ8P47JU8Z2xxzSsOVmMUE3dm+ZhYfBeEClx2SejCLEqpY+s9gbYUO5y573f5td:PlJSaJNESeE3M+ZhMBevDdep0Y+s9glz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1516	BGA2Editor.exe
1516	BGA2Editor.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3480	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	1516	BGA2Editor.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3480	POWERPNT.EXE
3480	POWERPNT.EXE
3480	POWERPNT.EXE
3480	POWERPNT.EXE
3480	POWERPNT.EXE
3480	POWERPNT.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1516	1148	BGA2Editor.exe	84
PID 1148 wrote to memory of 1516	1148	BGA2Editor.exe	84

C:\Users\Admin\AppData\Local\Temp\BGA2Editor.exe
"C:\Users\Admin\AppData\Local\Temp\BGA2Editor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\BGA2Editor.exe
  "C:\Users\Admin\AppData\Local\Temp\BGA2Editor.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1516

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\LockUnblock.ppt" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI11482\BGA2Editor.exe.manifest

Filesize
1KB

MD5
564d2eea8c51b3e9e3df2975214136bc

SHA1
70a30b59223a418561c321354c45380d2aac6c20

SHA256
0ca311b4ac08daa87040dd9d91a84068727b9a96b40115dfbf9c614b08a887d8

SHA512
dc35b3ebcc472f81f8a3b75d1023b6796411a260c6bb10f315f0cd313cb5a48ee1460db28a83e25d7512efed863a47b3e3e4915afb7337f63ebd143700d9db41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11482\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11482\base_library.zip

Filesize
762KB

MD5
a40ef803eed5fd08d569213f83b77236

SHA1
059bb4f5aebd1d5176452701e345e30e5b5b8ca4

SHA256
93220367150060d3a0669669c1a11376a6319690c37c7fc6bdcf3180e1cf650e

SHA512
d0c52ae48c99543fee5ff17769234879cd582e4abfa4435072478ffab29b1b885672999471cfdb65fa66b3411c23099c0cb4971a5bea11c309b36c704af714a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11482\python37.dll

Filesize
3.6MB

MD5
22546a966149e4f545e00d0c0c294a53

SHA1
3d51c13be6cd7f115934bfa9ef8a3ddd3f571949

SHA256
b01884bced504e81edb83da4c0e6c3098d87c1512d60bb85e88ecd1a937ed2a0

SHA512
1a62a837b42e6ecb149d034826929a9d818571ac7b830b380899bdcf3b72307025d2f47b7d6013cab2725ccbdc1af9ad4b733be75dfe030ecd674d7927b90eac

Download Submit
memory/3480-42-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-45-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-34-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-35-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-33-0x00007FFE34DD0000-0x00007FFE34DE0000-memory.dmp

Filesize
64KB

Download
memory/3480-30-0x00007FFE34DD0000-0x00007FFE34DE0000-memory.dmp

Filesize
64KB

Download
memory/3480-37-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-36-0x00007FFE34DD0000-0x00007FFE34DE0000-memory.dmp

Filesize
64KB

Download
memory/3480-38-0x00007FFE34DD0000-0x00007FFE34DE0000-memory.dmp

Filesize
64KB

Download
memory/3480-39-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-40-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-41-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-32-0x00007FFE34DD0000-0x00007FFE34DE0000-memory.dmp

Filesize
64KB

Download
memory/3480-43-0x00007FFE326D0000-0x00007FFE326E0000-memory.dmp

Filesize
64KB

Download
memory/3480-44-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-31-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-48-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-47-0x00007FFE326D0000-0x00007FFE326E0000-memory.dmp

Filesize
64KB

Download
memory/3480-46-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-49-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-50-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-51-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-72-0x00007FFE34DD0000-0x00007FFE34DE0000-memory.dmp

Filesize
64KB

Download
memory/3480-73-0x00007FFE34DD0000-0x00007FFE34DE0000-memory.dmp

Filesize
64KB

Download
memory/3480-75-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-74-0x00007FFE34DD0000-0x00007FFE34DE0000-memory.dmp

Filesize
64KB

Download
memory/3480-77-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download
memory/3480-76-0x00007FFE34DD0000-0x00007FFE34DE0000-memory.dmp

Filesize
64KB

Download
memory/3480-78-0x00007FFE74D50000-0x00007FFE74F45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads