Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
bc13b97d581d8a5a01a44d52d73fcdfa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc13b97d581d8a5a01a44d52d73fcdfa.exe
Resource
win10v2004-20240226-en
General
-
Target
bc13b97d581d8a5a01a44d52d73fcdfa.exe
-
Size
56KB
-
MD5
bc13b97d581d8a5a01a44d52d73fcdfa
-
SHA1
6bb7f2ddc069ca127b8ab9ce51e9dda0a6575752
-
SHA256
d94c18212f6b528c1b2c419d05393f8efcd012c2c1e0e2a0abc33de0937fb84b
-
SHA512
b4de24c98eab1e124b1dbde25d07beabc6f85efb77c3f5cf957b395029a9194b1df6c26dee48f6caa3944c50c55330c0ddc9361e026ab27fe9f9856589e5c4ec
-
SSDEEP
768:coOjbhlc7sUoQnAz3ppOo0QJSHijv5js/wJJQzGeSXfT+DYwiREEpZFQlGGZc2OS:1OPhlosUoAarDX1JJcgTlEEXFwlu2Nl
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe Token: SeBackupPrivilege 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2460 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe 28 PID 1224 wrote to memory of 2460 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe 28 PID 1224 wrote to memory of 2460 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe 28 PID 1224 wrote to memory of 2460 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe 28 PID 1224 wrote to memory of 2460 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe 28 PID 1224 wrote to memory of 2460 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe 28 PID 1224 wrote to memory of 2460 1224 bc13b97d581d8a5a01a44d52d73fcdfa.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc13b97d581d8a5a01a44d52d73fcdfa.exe"C:\Users\Admin\AppData\Local\Temp\bc13b97d581d8a5a01a44d52d73fcdfa.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\cmd.execmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\ife.txt "C:\PROGRA~1\INTERN~1\ieframe.dll" /a2⤵
- Drops file in Program Files directory
PID:2460
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19.6MB
MD52d6ed0d30c76f5cb41bd92158ff355fa
SHA12a6924eb69628e8b3c06431777795f28f385d7f3
SHA2562ec5968f8de972eda2a80fa52bdc49ec2439f6d1ca067eb82dbc3a9137517040
SHA5124b241d3865e76d6a1451ed636e4292993a9dd167fde625b4c730aedf593fc008420338e86e5da9a02d264cd52b3857b844796dd144e26e0f33969db4b421c779
-
Filesize
6KB
MD5e54eb27fb5048964e8d1ec7a1f72334b
SHA12b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
-
Filesize
10KB
MD538977533750fe69979b2c2ac801f96e6
SHA174643c30cda909e649722ed0c7f267903558e92a
SHA256b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53