Overview

overview

8

Static

static

3

bc0ee3e54b...00.exe

windows7-x64

8

bc0ee3e54b...00.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2024 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc0ee3e54b30159aba15019a51197300.exe

  • Size

    76KB

  • MD5

    bc0ee3e54b30159aba15019a51197300

  • SHA1

    b02627317e03b6c669922fccc42ff4eb9da95d1a

  • SHA256

    02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

  • SHA512

    20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798

  • SSDEEP

    1536:yy6h6NL247EJlU5IB99muEO40sW9qazlShlq4Se:2hU24uWCB99muEh0sW9nYjq4D

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300.exe
    "C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\mywcc080721.dll bgdll
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\downf.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\myccdd080721a.exe
          "C:\Windows\system32\myccdd080721a.exe" i
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2944
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
              PID:2912
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2608
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2424
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2656
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2644
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2348
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1120
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:592
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1872
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:368
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1084
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:296
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2104
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2080
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1160
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2852
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1480
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2336
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1192
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1176
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2108
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1976
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2624
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1952
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:796
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1776
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2076
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1484
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2012
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2152
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2628
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3056
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1964
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2592
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2476
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2552
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2512
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2800
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2720
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2488
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1576
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2780
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2644
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2348
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:1120
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:676
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2492

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\mywcc080721.dll
      Filesize

      28KB

      MD5

      868feda0c9c6b32ac94b70fb19493b2b

      SHA1

      e59b08baa120a6f9b834844c9c2903662676e37c

      SHA256

      ae44365f29c76a748653f6f698624f7e1d7f6357a0b497833ca70264b1f34fb6

      SHA512

      7b4ad26f8dcc712cf7876969d489667e2598b92e4ea347f774b9234d5dda4984ad1d5f35572e3d0db4a06d656a16bcbcc18593b82537df04694b844ceedde048

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      150B

      MD5

      dbda144b8729a84cca62b0f9d57610a7

      SHA1

      e749ebeedd1b953cf2da7cb6d53ff0b6fafe664b

      SHA256

      9c976bcf1b873d147c57fe3cfcb53251d2e33d37462124397013bf5204235a7f

      SHA512

      0c7ae7c802a78f67e12a5d8f1c97370be55f763bfdd1a38b5496f2165e842199031cee6129812f2ebc413a773820c9dc73db18e1d07f88bece36c84b4f3d9d9b

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      464B

      MD5

      6d7db58a61521c290d6b60d77c25f111

      SHA1

      1fe6a4ca70fceb51d386741b24a6598030608c22

      SHA256

      53b7dca678be481311ef20046bdf94f8e752d716a6f686bc5bd451035c2baf29

      SHA512

      a7e42d2b44d402a65aedb097241b0e5e65b8f62366f85a1e9f2e5e20ec712508e908447214bd4be0e89294e0393a84c0ebfadc04c3d3ba6a1106d10533c654ec

      Download Submit

    • C:\Windows\cc16.ini
      Filesize

      100B

      MD5

      36888a58fe1d0618d7287ef7e9fe862a

      SHA1

      cddc15f071551915323d67fba5d2795e05d9b717

      SHA256

      aaff21ae1363afd82c3e390b6a08fa524e44e50f1021cece1d1b173bf983903e

      SHA512

      d26c08e0856a6ba065c23d2d15201a8f254a19dc3c6b23af9118e65c5fa22345ed911ed18190ee3466f54629331b9119cb8e581898e753a284fc1ae46d02bf37

      Download Submit

    • C:\downf.bat
      Filesize

      51B

      MD5

      2b724c6a8fcd230311547ed4e1b9d68e

      SHA1

      10355c1441991688bde91b7c02688f308bf00915

      SHA256

      3f77676fa2c0553c11b7277adcd2666bba06e22d4ce39f0ff3c3245eff645a0e

      SHA512

      48215bac2db84c0445d5c4bd80abe13fbdf0f6750c4bad1306a01283362e2e97ab8992be597634b803bd12892c682615c637dcbae36c5441e50fea5346bb374d

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      139B

      MD5

      3a1bd2916250a4d03a63c8877a0098be

      SHA1

      fe761cbb2533906e4a6c5604a79d0c0bf94fd87f

      SHA256

      8183f9a2b8b37f4a70e5296c85d9fff3cba80a6950314d9900026dfc84a00a9d

      SHA512

      d1d03acc696e6b660ddb61c217665f5d202907e4548df4e17c92183490a2bc98c3cb9492a1e3aa678a17c5e8096ba05190c02e918aa4ca0123ca6e50e485e849

      Download Submit

    • \??\c:\nmDelm.bat
      Filesize

      205B

      MD5

      5bff33021d707313de7a82ba7c39b336

      SHA1

      6b45d4473d543e05525ab37fac255b0d534a11f9

      SHA256

      aab86b798faa1c8e49c78d23aaa7a711362d4056ccc609a9c711d27e0432b3f9

      SHA512

      c684245b57fcfb50b4c599654e81b3a791cbb37e2ccbf66eb08380418d1145636517fdb096dae2208b9db7aa6641a1f81d0ff1a823101df219737088a061aade

      Download Submit

    • \Windows\SysWOW64\myccdd080721a.exe
      Filesize

      76KB

      MD5

      bc0ee3e54b30159aba15019a51197300

      SHA1

      b02627317e03b6c669922fccc42ff4eb9da95d1a

      SHA256

      02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

      SHA512

      20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798

      Download Submit

    • memory/2968-19-0x0000000000140000-0x000000000014D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2968-40-0x0000000000140000-0x000000000014D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2968-48-0x0000000000140000-0x000000000014D000-memory.dmp

      Filesize

      52KB

      Download