Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 05:27
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe
Resource
win7-20240215-en
General
-
Target
SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe
-
Size
22.7MB
-
MD5
bfc65ce21e22544286826e26a5ec45ef
-
SHA1
e27dc55c11a9b10ca3966f1f7fec14e064c7d717
-
SHA256
dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb
-
SHA512
9866b4573795264972abf7c31f7056cdc17edc4c249fba487a0c583866991cc168ecb2e8e95c6ed2bb3f9e31bd4f485ae7264e7d555dcccf573417b1b50fc7b3
-
SSDEEP
393216:4CniWcrE+N29tz2cDhctoqfv42GhoxAq8kZ/Pnin2um6h/rhg03X1nqW4A0ySQyG:fniWc4+N8tkv42GhoxAcs/rhtXdN4wp
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe cryptone C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe cryptone C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocx cryptone -
Executes dropped EXE 1 IoCs
Processes:
MiniClient.exepid process 2384 MiniClient.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
MiniClient.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MiniClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5032 2384 WerFault.exe MiniClient.exe -
Processes:
SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exeMiniClient.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe = "9999" SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MiniClient.exe = "9999" MiniClient.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exepid process 2740 SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe 2740 SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
MiniClient.exepid process 2384 MiniClient.exe 2384 MiniClient.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exedescription pid process target process PID 2740 wrote to memory of 2384 2740 SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe MiniClient.exe PID 2740 wrote to memory of 2384 2740 SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe MiniClient.exe PID 2740 wrote to memory of 2384 2740 SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe MiniClient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exeC:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 22323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2384 -ip 23841⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GH_38D3.tmpFilesize
893B
MD5388aa031ce9226133d436591bf387a1c
SHA187de6709cafd46ca946a784dfe57811aa20ca02b
SHA256cf8be59a9eb914c8248ab07bafdd3ecc45cec0e2206dd093673029c324d4a505
SHA512945a256376dbc28f8b7dc37ec36b0279d45baee265497fc9eff9dcc558023880ee30e24c5433240d3926672114afd53e3cc44c324210249cfffd4d5aa329b8a3
-
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocxFilesize
3.6MB
MD5cafb42ca54e905004d82e4b874336020
SHA1677847af00d5c29434110f951427cce27449c7b9
SHA256b05cbd2356c15ebd0229948756c5f80366cd94e38cf5f67f1ebb3a3c220552af
SHA51222161d9786ac9ab5516aa862d96e56c85d230d1d1debf3ad27daa72534b23f4ebb7e4bf58b54e363194827c6e3478f2988dbe5961ef631e10d18a030f760e394
-
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exeFilesize
4.8MB
MD5b80a2c21fc5dcbc874d9c5a1da38d59d
SHA13b0a4e1f10fa69d2a29fd057471156fc8e439dcc
SHA256e47119edd7032aea344f84da6f15a62136f979362c7ff5282c64f6b427f8c77c
SHA51259be185657aba9d95c3c2edd62d8e7a870dda0c324bcc6f8070d0e192f1e2c4b93baeeb49d3ba72b505b5aa5bd534432ea9082c245dc2697e0b0739aa8d88f10
-
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exeFilesize
4.2MB
MD5a333c4bd3468784bb40ad44212f5e9dd
SHA1c3dfa34797c194f5558c522c5d792621acf55acd
SHA256e8fc3a3edbea84584324cc32d4cfdbe20e4608b83dfbb2e515c758631eeab36b
SHA512b3405a3865ee6b1a3a5aa0bcbf1116b9b27f63e09a9861f0a11e121ccf9c39955fe1e080e298fa1a9b2d89090ad5df5426641f5b6116859bd76f1db6d26a4f48
-
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\cfg.iniFilesize
167B
MD583ca3a223ff85522bb7089f88f7b10d0
SHA1ab86a3dda4471691c1e7292f0449aad321cd2dc9
SHA25600a4a5549ac1d4675e63394991d949d21bebebd0bd3dc56b822bf156a1d9bc88
SHA512291ae1f0a23f00aee2e333d531b6a8bb7d26c0306af551832aae7b90a04a43b54bd9f8edf6114a7666f09d8fc0395c30d8657150397bac35d4bad94b5efd91cd
-
memory/2384-27-0x0000000002390000-0x0000000002391000-memory.dmpFilesize
4KB
-
memory/2740-4-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB