f8dec3bc89c9f3442ad2fa7234124e7fa1de93235e4571e3b011bab14ae5db60

Analysis

max time kernel
148s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 07:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b42bc8be0a045e0a254ce8cf5a4c5f55.exe
Size

84KB
MD5

b42bc8be0a045e0a254ce8cf5a4c5f55
SHA1

58e88d802d9720e0f064f9f4a09477684a35c4d1
SHA256

f8dec3bc89c9f3442ad2fa7234124e7fa1de93235e4571e3b011bab14ae5db60
SHA512

0772e5b956e72f73000878ebf94df5877c4d8ec21352e02bb4c4c89d608c995da44aa2b26189efe0020485c2638c38d290f7b6200d6a81308fb40a8cd9f8c303
SSDEEP

1536:J6ggfUfojGnRR1J0+6Q230jgBhVulU8KgKFVXljQG6q8+t:J6uxJ0+yBz6jK9XtQ88+t

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\Wdcp.dll"	laass.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll = "C:\\Progra~1\\%Program Files%\\Wdcp.dll"	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000231f1-22.dat	acprotect
behavioral2/files/0x00070000000231f1-24.dat	acprotect
behavioral2/files/0x00070000000231f1-26.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	b42bc8be0a045e0a254ce8cf5a4c5f55.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	laass.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	laass.exe
3160	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:c:\\windows\\362.VBS"	laass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "file:c:\\windows\\362.VBS"	rundll32.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Progra~1\%Program Files%\Cest.bat	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\Progra~1\%Program Files%\~	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\Progra~1\%Program Files%\Wdcp.dll	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File opened for modification	C:\Progra~1\%Program Files%\Wdcp.dll	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File opened for modification	\??\c:\Program Files\%Program Files%	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\Progra~1\%Program Files%\laass.exe	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\Progra~1\%Program Files%\363.VBS	b42bc8be0a045e0a254ce8cf5a4c5f55.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\best.bat	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
File created	C:\windows\362.vbs	b42bc8be0a045e0a254ce8cf5a4c5f55.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe
2872	laass.exe
2872	laass.exe
3160	rundll32.exe
3160	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3160	rundll32.exe
2872	laass.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 2872	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	91
PID 3708 wrote to memory of 2872	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	91
PID 3708 wrote to memory of 2872	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	91
PID 3708 wrote to memory of 3160	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	92
PID 3708 wrote to memory of 3160	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	92
PID 3708 wrote to memory of 3160	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	92
PID 3708 wrote to memory of 4628	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	93
PID 3708 wrote to memory of 4628	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	93
PID 3708 wrote to memory of 4628	3708	b42bc8be0a045e0a254ce8cf5a4c5f55.exe	93

C:\Users\Admin\AppData\Local\Temp\b42bc8be0a045e0a254ce8cf5a4c5f55.exe
"C:\Users\Admin\AppData\Local\Temp\b42bc8be0a045e0a254ce8cf5a4c5f55.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Program Files\%Program Files%\laass.exe
  "C:\Program Files\%Program Files%\laass.exe" Wdcp.dll main
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2872
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" Wdcp.dll main
  2⤵
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B42BC8~1.EXE > nul & rd c:\%Progr~1 > nul
  2⤵
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\%Program Files%\Wdcp.dll

Filesize
7.1MB

MD5
c2b56af2861229305683be53b1813c0c

SHA1
3b52b0724349f1695031b47593110dfae464151e

SHA256
d33a16c1d7a331acc83923da864744486307174a0bce73ce33e968c4232ea464

SHA512
fa9a744b48b1a4bfec94ab0073b8275a6521edf3579b9f68a270c52e9745c8211969b02993e36e8f3cb1ba9bd8f4c4b9ad26e1b97aa077892da9055c535c83c2

Download Submit
C:\Program Files\%Program Files%\Wdcp.dll

Filesize
5.9MB

MD5
8148315b8468bf3ad4a1dceaec04bc7c

SHA1
318bd65f42ebc552ba694a19f5438e680df70e01

SHA256
26dd0665c7d0d6e0f697664dd6b1f166fa1c3c19a2c98e9dd54bd51768aca60f

SHA512
6e1ac5586a44c883285858651d43977012985c595b1f80ba7f1ecdf86111c51e4afe4dbefa2870d8e57ccce37062bbac8d138321b3ac34443a38d4af43204e10

Download Submit
C:\Program Files\%Program Files%\Wdcp.dll

Filesize
8.9MB

MD5
570ce0c742672b14bb2af3efadc01c08

SHA1
db5d5b4a057e54da89874ae1df611308e9816f8f

SHA256
20f30c4d7a138bb119e2bbac21ff6546dd2c4312fd15f08b899ad04c1182912d

SHA512
45394839486a3e9f9ed30e998f3f9685e3ec5a4bed90956ac7d060a8cc5e7494734e9ec1d4855bc7c3c528cd7a6730c405b79612a2740f71090dde40bbee67fd

Download Submit
C:\Program Files\%Program Files%\laass.exe

Filesize
9KB

MD5
359c541c07a39ab11bb45aad29b2d2ce

SHA1
3c4f277f184ae306a4d0efe1bcb9e03ecabbb9b7

SHA256
6e2378348ebebf5b301744fedb0be396ef4e7e92ad94877da79eed9eb46850d5

SHA512
768050272dd4875a4c2a6a96f6337334c05d1512dfc0cc9ceee883a7c701de5e2e90872a6f9029de5b528b74c07cb8aa61c10f9f9e834f8021e9759136fcfbff

Download Submit
\??\c:\ntldr.sys

Filesize
90B

MD5
2decc7673a337ecad80bbbfed8a524bb

SHA1
7a0ade42fc8d51817572919584e0ef1a3c7bf18c

SHA256
7290f853e512f2c5d401ac03dbcb2e5f0dd6bf27e5dc51b7f476a33ea9d94974

SHA512
8c608695079866acc9c2d4486841688f93cc1e632534058c9ffbb7e95c197a0e4ac6da422ce67a60aca7ccd887df85c3cd225f24d0214b050ffa98cb76145d82

Download Submit
memory/2872-25-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2872-30-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2872-31-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/3160-27-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/3160-28-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/3160-32-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/3708-0-0x0000000000400000-0x000000000042ED90-memory.dmp

Filesize
187KB

Download
memory/3708-23-0x0000000000400000-0x000000000042ED90-memory.dmp

Filesize
187KB

Download
memory/3708-1-0x0000000000400000-0x000000000042ED90-memory.dmp

Filesize
187KB

Download