02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

Analysis

max time kernel
152s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 14:38 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc0ee3e54b30159aba15019a51197300.exe
Size

76KB
MD5

bc0ee3e54b30159aba15019a51197300
SHA1

b02627317e03b6c669922fccc42ff4eb9da95d1a
SHA256

02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a
SHA512

20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798
SSDEEP

1536:yy6h6NL247EJlU5IB99muEO40sW9qazlShlq4Se:2hU24uWCB99muEh0sW9nYjq4D

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	myccdd080721a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ccnhh = "rundll32.exe C:\\Windows\\system32\\mywcc080721.dll bgdll"	myccdd080721a.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2944	myccdd080721a.exe

Loads dropped DLL 6 IoCs

pid	Process
2968	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe
2996	cmd.exe
2996	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\myccdd080721a.exe	bc0ee3e54b30159aba15019a51197300.exe
File opened for modification	C:\Windows\SysWOW64\myccdd080721a.exe	bc0ee3e54b30159aba15019a51197300.exe
File created	C:\Windows\SysWOW64\mywcc080721.dll	bc0ee3e54b30159aba15019a51197300.exe
File created	C:\Windows\SysWOW64\mycgc32.dll	myccdd080721a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cc16.ini	bc0ee3e54b30159aba15019a51197300.exe
File opened for modification	C:\Windows\cc16.ini	myccdd080721a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 45 IoCs

Remote System Discovery

T1018

pid	Process
1576	PING.EXE
2780	PING.EXE
2424	PING.EXE
1120	PING.EXE
368	PING.EXE
1084	PING.EXE
1484	PING.EXE
2476	PING.EXE
2552	PING.EXE
2512	PING.EXE
296	PING.EXE
2080	PING.EXE
1480	PING.EXE
2108	PING.EXE
1976	PING.EXE
2592	PING.EXE
2104	PING.EXE
1192	PING.EXE
1952	PING.EXE
2152	PING.EXE
2644	PING.EXE
2348	PING.EXE
2348	PING.EXE
592	PING.EXE
2720	PING.EXE
2656	PING.EXE
1872	PING.EXE
1160	PING.EXE
2012	PING.EXE
3056	PING.EXE
2488	PING.EXE
676	PING.EXE
2492	PING.EXE
2644	PING.EXE
2852	PING.EXE
2076	PING.EXE
2628	PING.EXE
2800	PING.EXE
1776	PING.EXE
1964	PING.EXE
1120	PING.EXE
2336	PING.EXE
1176	PING.EXE
2624	PING.EXE
796	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3012	bc0ee3e54b30159aba15019a51197300.exe
3012	bc0ee3e54b30159aba15019a51197300.exe
2944	myccdd080721a.exe
2944	myccdd080721a.exe
2944	myccdd080721a.exe
2944	myccdd080721a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	bc0ee3e54b30159aba15019a51197300.exe
Token: SeDebugPrivilege	2944	myccdd080721a.exe
Token: SeDebugPrivilege	2944	myccdd080721a.exe
Token: SeDebugPrivilege	2944	myccdd080721a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2968	3012	bc0ee3e54b30159aba15019a51197300.exe	28
PID 3012 wrote to memory of 2968	3012	bc0ee3e54b30159aba15019a51197300.exe	28
PID 3012 wrote to memory of 2968	3012	bc0ee3e54b30159aba15019a51197300.exe	28
PID 3012 wrote to memory of 2968	3012	bc0ee3e54b30159aba15019a51197300.exe	28
PID 3012 wrote to memory of 2968	3012	bc0ee3e54b30159aba15019a51197300.exe	28
PID 3012 wrote to memory of 2968	3012	bc0ee3e54b30159aba15019a51197300.exe	28
PID 3012 wrote to memory of 2968	3012	bc0ee3e54b30159aba15019a51197300.exe	28
PID 2968 wrote to memory of 2996	2968	rundll32.exe	29
PID 2968 wrote to memory of 2996	2968	rundll32.exe	29
PID 2968 wrote to memory of 2996	2968	rundll32.exe	29
PID 2968 wrote to memory of 2996	2968	rundll32.exe	29
PID 3012 wrote to memory of 2632	3012	bc0ee3e54b30159aba15019a51197300.exe	31
PID 3012 wrote to memory of 2632	3012	bc0ee3e54b30159aba15019a51197300.exe	31
PID 3012 wrote to memory of 2632	3012	bc0ee3e54b30159aba15019a51197300.exe	31
PID 3012 wrote to memory of 2632	3012	bc0ee3e54b30159aba15019a51197300.exe	31
PID 2996 wrote to memory of 2944	2996	cmd.exe	33
PID 2996 wrote to memory of 2944	2996	cmd.exe	33
PID 2996 wrote to memory of 2944	2996	cmd.exe	33
PID 2996 wrote to memory of 2944	2996	cmd.exe	33
PID 2632 wrote to memory of 2492	2632	cmd.exe	34
PID 2632 wrote to memory of 2492	2632	cmd.exe	34
PID 2632 wrote to memory of 2492	2632	cmd.exe	34
PID 2632 wrote to memory of 2492	2632	cmd.exe	34
PID 2944 wrote to memory of 2912	2944	myccdd080721a.exe	35
PID 2944 wrote to memory of 2912	2944	myccdd080721a.exe	35
PID 2944 wrote to memory of 2912	2944	myccdd080721a.exe	35
PID 2944 wrote to memory of 2912	2944	myccdd080721a.exe	35
PID 2944 wrote to memory of 2912	2944	myccdd080721a.exe	35
PID 2944 wrote to memory of 2608	2944	myccdd080721a.exe	36
PID 2944 wrote to memory of 2608	2944	myccdd080721a.exe	36
PID 2944 wrote to memory of 2608	2944	myccdd080721a.exe	36
PID 2944 wrote to memory of 2608	2944	myccdd080721a.exe	36
PID 2608 wrote to memory of 2424	2608	cmd.exe	38
PID 2608 wrote to memory of 2424	2608	cmd.exe	38
PID 2608 wrote to memory of 2424	2608	cmd.exe	38
PID 2608 wrote to memory of 2424	2608	cmd.exe	38
PID 2608 wrote to memory of 2656	2608	cmd.exe	39
PID 2608 wrote to memory of 2656	2608	cmd.exe	39
PID 2608 wrote to memory of 2656	2608	cmd.exe	39
PID 2608 wrote to memory of 2656	2608	cmd.exe	39
PID 2608 wrote to memory of 2644	2608	cmd.exe	40
PID 2608 wrote to memory of 2644	2608	cmd.exe	40
PID 2608 wrote to memory of 2644	2608	cmd.exe	40
PID 2608 wrote to memory of 2644	2608	cmd.exe	40
PID 2608 wrote to memory of 2348	2608	cmd.exe	41
PID 2608 wrote to memory of 2348	2608	cmd.exe	41
PID 2608 wrote to memory of 2348	2608	cmd.exe	41
PID 2608 wrote to memory of 2348	2608	cmd.exe	41
PID 2608 wrote to memory of 1120	2608	cmd.exe	42
PID 2608 wrote to memory of 1120	2608	cmd.exe	42
PID 2608 wrote to memory of 1120	2608	cmd.exe	42
PID 2608 wrote to memory of 1120	2608	cmd.exe	42
PID 2608 wrote to memory of 592	2608	cmd.exe	45
PID 2608 wrote to memory of 592	2608	cmd.exe	45
PID 2608 wrote to memory of 592	2608	cmd.exe	45
PID 2608 wrote to memory of 592	2608	cmd.exe	45
PID 2608 wrote to memory of 1872	2608	cmd.exe	46
PID 2608 wrote to memory of 1872	2608	cmd.exe	46
PID 2608 wrote to memory of 1872	2608	cmd.exe	46
PID 2608 wrote to memory of 1872	2608	cmd.exe	46
PID 2608 wrote to memory of 368	2608	cmd.exe	47
PID 2608 wrote to memory of 368	2608	cmd.exe	47
PID 2608 wrote to memory of 368	2608	cmd.exe	47
PID 2608 wrote to memory of 368	2608	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300.exe
"C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\mywcc080721.dll bgdll
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\downf.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\myccdd080721a.exe
      "C:\Windows\system32\myccdd080721a.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\program files\internet explorer\iexplore.exe
        
        "C:\program files\internet explorer\iexplore.exe"
        5⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2424
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2656
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2644
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2348
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1120
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:592
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1872
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:368
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1084
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:296
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2104
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2080
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1160
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2852
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1480
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2336
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1192
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1176
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2108
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1976
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2624
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1952
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:796
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1776
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2076
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1484
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2012
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2152
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2628
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3056
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1964
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2592
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2476
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2552
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2512
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2800
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2720
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2488
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1576
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2780
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2644
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2348
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1120
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mywcc080721.dll

Filesize
28KB

MD5
868feda0c9c6b32ac94b70fb19493b2b

SHA1
e59b08baa120a6f9b834844c9c2903662676e37c

SHA256
ae44365f29c76a748653f6f698624f7e1d7f6357a0b497833ca70264b1f34fb6

SHA512
7b4ad26f8dcc712cf7876969d489667e2598b92e4ea347f774b9234d5dda4984ad1d5f35572e3d0db4a06d656a16bcbcc18593b82537df04694b844ceedde048

Download Submit
C:\Windows\cc16.ini

Filesize
150B

MD5
dbda144b8729a84cca62b0f9d57610a7

SHA1
e749ebeedd1b953cf2da7cb6d53ff0b6fafe664b

SHA256
9c976bcf1b873d147c57fe3cfcb53251d2e33d37462124397013bf5204235a7f

SHA512
0c7ae7c802a78f67e12a5d8f1c97370be55f763bfdd1a38b5496f2165e842199031cee6129812f2ebc413a773820c9dc73db18e1d07f88bece36c84b4f3d9d9b

Download Submit
C:\Windows\cc16.ini

Filesize
464B

MD5
6d7db58a61521c290d6b60d77c25f111

SHA1
1fe6a4ca70fceb51d386741b24a6598030608c22

SHA256
53b7dca678be481311ef20046bdf94f8e752d716a6f686bc5bd451035c2baf29

SHA512
a7e42d2b44d402a65aedb097241b0e5e65b8f62366f85a1e9f2e5e20ec712508e908447214bd4be0e89294e0393a84c0ebfadc04c3d3ba6a1106d10533c654ec

Download Submit
C:\Windows\cc16.ini

Filesize
100B

MD5
36888a58fe1d0618d7287ef7e9fe862a

SHA1
cddc15f071551915323d67fba5d2795e05d9b717

SHA256
aaff21ae1363afd82c3e390b6a08fa524e44e50f1021cece1d1b173bf983903e

SHA512
d26c08e0856a6ba065c23d2d15201a8f254a19dc3c6b23af9118e65c5fa22345ed911ed18190ee3466f54629331b9119cb8e581898e753a284fc1ae46d02bf37

Download Submit
C:\downf.bat

Filesize
51B

MD5
2b724c6a8fcd230311547ed4e1b9d68e

SHA1
10355c1441991688bde91b7c02688f308bf00915

SHA256
3f77676fa2c0553c11b7277adcd2666bba06e22d4ce39f0ff3c3245eff645a0e

SHA512
48215bac2db84c0445d5c4bd80abe13fbdf0f6750c4bad1306a01283362e2e97ab8992be597634b803bd12892c682615c637dcbae36c5441e50fea5346bb374d

Download Submit
\??\c:\nmDelm.bat

Filesize
139B

MD5
3a1bd2916250a4d03a63c8877a0098be

SHA1
fe761cbb2533906e4a6c5604a79d0c0bf94fd87f

SHA256
8183f9a2b8b37f4a70e5296c85d9fff3cba80a6950314d9900026dfc84a00a9d

SHA512
d1d03acc696e6b660ddb61c217665f5d202907e4548df4e17c92183490a2bc98c3cb9492a1e3aa678a17c5e8096ba05190c02e918aa4ca0123ca6e50e485e849

Download Submit
\??\c:\nmDelm.bat

Filesize
205B

MD5
5bff33021d707313de7a82ba7c39b336

SHA1
6b45d4473d543e05525ab37fac255b0d534a11f9

SHA256
aab86b798faa1c8e49c78d23aaa7a711362d4056ccc609a9c711d27e0432b3f9

SHA512
c684245b57fcfb50b4c599654e81b3a791cbb37e2ccbf66eb08380418d1145636517fdb096dae2208b9db7aa6641a1f81d0ff1a823101df219737088a061aade

Download Submit
\Windows\SysWOW64\myccdd080721a.exe

Filesize
76KB

MD5
bc0ee3e54b30159aba15019a51197300

SHA1
b02627317e03b6c669922fccc42ff4eb9da95d1a

SHA256
02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

SHA512
20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798

Download Submit
memory/2968-19-0x0000000000140000-0x000000000014D000-memory.dmp

Filesize
52KB

Download
memory/2968-40-0x0000000000140000-0x000000000014D000-memory.dmp

Filesize
52KB

Download
memory/2968-48-0x0000000000140000-0x000000000014D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.