2bc149a0d7164bd2f0afdd36431c53162fa20ce0bf356b6e4bf58417e50671f0

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc001e28803d83163a5edc5e1c572003.exe
Size

43KB
MD5

bc001e28803d83163a5edc5e1c572003
SHA1

1736ac572c65d02db9427fa5b708c47e82ab305f
SHA256

2bc149a0d7164bd2f0afdd36431c53162fa20ce0bf356b6e4bf58417e50671f0
SHA512

30521f344e0c0f1852976de95652916a0ac1f796b8d9f842caff68548f1f6d38cd6499b79f39875bdc6bf9af8770eeccdbb858db0fe956c6016936a7928a47f2
SSDEEP

768:OH/nTiJhjhEN91375raQfxa2+zqa4n4Lgq:m/nTiNu1traQfxanzKn4Eq

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	bc001e28803d83163a5edc5e1c572003.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe"	bc001e28803d83163a5edc5e1c572003.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	~259432486.ext

Loads dropped DLL 2 IoCs

pid	Process
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe
2104	bc001e28803d83163a5edc5e1c572003.exe
2688	~259432486.ext
2688	~259432486.ext
2688	~259432486.ext
2688	~259432486.ext
2688	~259432486.ext

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	bc001e28803d83163a5edc5e1c572003.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2584	2104	bc001e28803d83163a5edc5e1c572003.exe	28
PID 2104 wrote to memory of 2584	2104	bc001e28803d83163a5edc5e1c572003.exe	28
PID 2104 wrote to memory of 2584	2104	bc001e28803d83163a5edc5e1c572003.exe	28
PID 2104 wrote to memory of 2584	2104	bc001e28803d83163a5edc5e1c572003.exe	28
PID 2104 wrote to memory of 2688	2104	bc001e28803d83163a5edc5e1c572003.exe	30
PID 2104 wrote to memory of 2688	2104	bc001e28803d83163a5edc5e1c572003.exe	30
PID 2104 wrote to memory of 2688	2104	bc001e28803d83163a5edc5e1c572003.exe	30
PID 2104 wrote to memory of 2688	2104	bc001e28803d83163a5edc5e1c572003.exe	30
PID 2688 wrote to memory of 2576	2688	~259432486.ext	31
PID 2688 wrote to memory of 2576	2688	~259432486.ext	31
PID 2688 wrote to memory of 2576	2688	~259432486.ext	31
PID 2688 wrote to memory of 2576	2688	~259432486.ext	31

C:\Users\Admin\AppData\Local\Temp\bc001e28803d83163a5edc5e1c572003.exe
"C:\Users\Admin\AppData\Local\Temp\bc001e28803d83163a5edc5e1c572003.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\~259432486.ext
  C:\Users\Admin\AppData\Local\Temp\~259432486.ext
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~259432486.ext

Filesize
7KB

MD5
3c42f41a9b816bb3c1a870e44cdf90ee

SHA1
9d70f68735946d30129c16d59af201319d1c2dfd

SHA256
c2c6cc79dc8f2e37502b8a1518c4459887413ea37538875264bb6182ae6cdfba

SHA512
17e76105c809819f48726ab32055971aead0d0be19e88910feac9322fb06469d28fb1e71a8cdaab6bf696438d34e023bf7333e4bd808641dd42defb32f8e813e

Download Submit