d94c18212f6b528c1b2c419d05393f8efcd012c2c1e0e2a0abc33de0937fb84b

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc13b97d581d8a5a01a44d52d73fcdfa.exe
Size

56KB
MD5

bc13b97d581d8a5a01a44d52d73fcdfa
SHA1

6bb7f2ddc069ca127b8ab9ce51e9dda0a6575752
SHA256

d94c18212f6b528c1b2c419d05393f8efcd012c2c1e0e2a0abc33de0937fb84b
SHA512

b4de24c98eab1e124b1dbde25d07beabc6f85efb77c3f5cf957b395029a9194b1df6c26dee48f6caa3944c50c55330c0ddc9361e026ab27fe9f9856589e5c4ec
SSDEEP

768:coOjbhlc7sUoQnAz3ppOo0QJSHijv5js/wJJQzGeSXfT+DYwiREEpZFQlGGZc2OS:1OPhlosUoAarDX1JJcgTlEEXFwlu2Nl

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe
1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe
Token: SeBackupPrivilege	1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2460	1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe	28
PID 1224 wrote to memory of 2460	1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe	28
PID 1224 wrote to memory of 2460	1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe	28
PID 1224 wrote to memory of 2460	1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe	28
PID 1224 wrote to memory of 2460	1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe	28
PID 1224 wrote to memory of 2460	1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe	28
PID 1224 wrote to memory of 2460	1224	bc13b97d581d8a5a01a44d52d73fcdfa.exe	28

C:\Users\Admin\AppData\Local\Temp\bc13b97d581d8a5a01a44d52d73fcdfa.exe
"C:\Users\Admin\AppData\Local\Temp\bc13b97d581d8a5a01a44d52d73fcdfa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\ife.txt "C:\PROGRA~1\INTERN~1\ieframe.dll" /a
  2⤵
  - Drops file in Program Files directory
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ife.txt

Filesize
19.6MB

MD5
2d6ed0d30c76f5cb41bd92158ff355fa

SHA1
2a6924eb69628e8b3c06431777795f28f385d7f3

SHA256
2ec5968f8de972eda2a80fa52bdc49ec2439f6d1ca067eb82dbc3a9137517040

SHA512
4b241d3865e76d6a1451ed636e4292993a9dd167fde625b4c730aedf593fc008420338e86e5da9a02d264cd52b3857b844796dd144e26e0f33969db4b421c779

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4BB2.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4BB2.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit