Overview

overview

8

Static

static

3

bcee4702f3...7c.exe

windows7-x64

8

bcee4702f3...7c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-03-2024 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcee4702f35994eb8cf906876a26f77c.exe

  • Size

    9KB

  • MD5

    bcee4702f35994eb8cf906876a26f77c

  • SHA1

    a28ebe6c97d37dc961f94d2f2493a62bbd5f735a

  • SHA256

    c954ca3d7e795d323b1d79a7032f6e3db74bd8c0d458299acdc3d6357e65af20

  • SHA512

    fd0c7fce86a1020aa929c830cb28108d2680e653116ce1e522f811eb20a517b7f359a6f7a82732cdba2c3066ffffa9175f6cd86cdceeab3127f12156186d3ad6

  • SSDEEP

    192:4DvrTYiNbLr8YiJuht4bI0dUO2Jt3BU27wNUoynV:Gfx8YiK4bKJtG27war

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcee4702f35994eb8cf906876a26f77c.exe
    "C:\Users\Admin\AppData\Local\Temp\bcee4702f35994eb8cf906876a26f77c.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\system32\lncom_.ram"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4896
    • C:\Windows\SysWOW64\lncom.exe
      "C:\Windows\system32\lncom.exe"
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\wservice.exe
        C:\Windows\system32\wservice.exe -s
        3⤵
        • Executes dropped EXE
        PID:2404
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BCEE47~1.EXE.bat
      2⤵
        PID:3580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BCEE47~1.EXE.bat
      Filesize

      133B

      MD5

      6cc58f9dad714d70916c3504afd56fc5

      SHA1

      15ccbc6d5d1cbf9937ada2231784bee681685c04

      SHA256

      8191f7e3b4776511c9d5025ac3b96a6d9ce4db1b3b9f170c7d4b2db964102f59

      SHA512

      b0a708058a5d0dff018223a5dd49365e22213b0ac552a134e86783f07dc988fc89092dc1f94122fcc1d411c275c36c784543f36675e737ee54132b69f7e350a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bcee4702f35994eb8cf906876a26f77c.ram
      Filesize

      114B

      MD5

      13c8bd6f1852f9a055d29f64d97ad585

      SHA1

      bfee3efd58e6ce092f8ba70143a1bf12ac974d33

      SHA256

      c7c10e960a6a8a0c08b5492ef93efd72427eae1c173345746ed011e87b589f2c

      SHA512

      24ceccf5aff93c2e82d882d8bc360287e74d220a350fee388e9a16f9622f06dd705f38632e5819664ce2c0dc1d5468b0ad208e5221e510ee4751c7b9457f7944

      Download Submit

    • C:\Windows\SysWOW64\lncom.exe
      Filesize

      5KB

      MD5

      ca6dcb0152df4a9fe0271f65b3033298

      SHA1

      51d7877d5e514d5b9085cb4991fd37e9edd93f18

      SHA256

      6e127ca0c32641a7098fa16dc34a1423942f17aab897c2e75a719ee9f46b0aad

      SHA512

      b7409982483d361dcb21257cde3ab038c2dc2c982ca6d329c4582147237e6cb8f19ffa9ff6d1b3ceec4bed73d48864010c17e0036cbc6332bda42dec3fcd7360

      Download Submit

    • memory/640-14-0x0000000000400000-0x0000000000403000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1180-17-0x0000000000400000-0x0000000000404000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2404-30-0x0000000000400000-0x0000000000403000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4896-37-0x00007FF823620000-0x00007FF823631000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4896-40-0x00007FF8234D0000-0x00007FF8234ED000-memory.dmp

      Filesize

      116KB

      Download

    • memory/4896-34-0x00007FF822CA0000-0x00007FF822F54000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4896-35-0x00007FF8291E0000-0x00007FF8291F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4896-36-0x00007FF829090000-0x00007FF8290A7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4896-38-0x00007FF823600000-0x00007FF823617000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4896-32-0x00007FF6A9980000-0x00007FF6A9A78000-memory.dmp

      Filesize

      992KB

      Download

    • memory/4896-39-0x00007FF8234F0000-0x00007FF823501000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4896-41-0x00007FF8234B0000-0x00007FF8234C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4896-33-0x00007FF823DA0000-0x00007FF823DD4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4896-42-0x00007FF822AA0000-0x00007FF822CA0000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4896-43-0x00007FF813500000-0x00007FF8145AB000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/4896-44-0x00007FF823470000-0x00007FF8234AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4896-47-0x00007FF823320000-0x00007FF823387000-memory.dmp

      Filesize

      412KB

      Download

    • memory/4896-48-0x00007FF823240000-0x00007FF823257000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4896-46-0x00007FF823450000-0x00007FF823468000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4896-45-0x00007FF823390000-0x00007FF8233B1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4896-77-0x00007FF813500000-0x00007FF8145AB000-memory.dmp

      Filesize

      16.7MB

      Download