02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc0ee3e54b30159aba15019a51197300.exe
Size

76KB
MD5

bc0ee3e54b30159aba15019a51197300
SHA1

b02627317e03b6c669922fccc42ff4eb9da95d1a
SHA256

02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a
SHA512

20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798
SSDEEP

1536:yy6h6NL247EJlU5IB99muEO40sW9qazlShlq4Se:2hU24uWCB99muEh0sW9nYjq4D

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	myccdd080721a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ccnhh = "rundll32.exe C:\\Windows\\system32\\mywcc080721.dll bgdll"	myccdd080721a.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	bc0ee3e54b30159aba15019a51197300.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	myccdd080721a.exe

Executes dropped EXE 1 IoCs

pid	Process
2928	myccdd080721a.exe

Loads dropped DLL 1 IoCs

pid	Process
4772	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mywcc080721.dll	bc0ee3e54b30159aba15019a51197300.exe
File created	C:\Windows\SysWOW64\mycgc32.dll	myccdd080721a.exe
File created	C:\Windows\SysWOW64\myccdd080721a.exe	bc0ee3e54b30159aba15019a51197300.exe
File opened for modification	C:\Windows\SysWOW64\myccdd080721a.exe	bc0ee3e54b30159aba15019a51197300.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cc16.ini	bc0ee3e54b30159aba15019a51197300.exe
File opened for modification	C:\Windows\cc16.ini	myccdd080721a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 45 IoCs

Remote System Discovery

T1018

pid	Process
864	PING.EXE
3152	PING.EXE
712	PING.EXE
4664	PING.EXE
1644	PING.EXE
5060	PING.EXE
896	PING.EXE
3088	PING.EXE
992	PING.EXE
4940	PING.EXE
756	PING.EXE
1664	PING.EXE
4444	PING.EXE
3520	PING.EXE
4672	PING.EXE
4616	PING.EXE
2004	PING.EXE
384	PING.EXE
3612	PING.EXE
5116	PING.EXE
3424	PING.EXE
3984	PING.EXE
2428	PING.EXE
756	PING.EXE
5048	PING.EXE
1672	PING.EXE
1896	PING.EXE
736	PING.EXE
4976	PING.EXE
2224	PING.EXE
3840	PING.EXE
1852	PING.EXE
744	PING.EXE
3184	PING.EXE
3692	PING.EXE
3572	PING.EXE
3184	PING.EXE
4284	PING.EXE
2452	PING.EXE
3612	PING.EXE
3532	PING.EXE
2156	PING.EXE
4204	PING.EXE
4636	PING.EXE
2908	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1348	bc0ee3e54b30159aba15019a51197300.exe
1348	bc0ee3e54b30159aba15019a51197300.exe
1348	bc0ee3e54b30159aba15019a51197300.exe
1348	bc0ee3e54b30159aba15019a51197300.exe
2928	myccdd080721a.exe
2928	myccdd080721a.exe
2928	myccdd080721a.exe
2928	myccdd080721a.exe
2928	myccdd080721a.exe
2928	myccdd080721a.exe
2928	myccdd080721a.exe
2928	myccdd080721a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	bc0ee3e54b30159aba15019a51197300.exe
Token: SeDebugPrivilege	2928	myccdd080721a.exe
Token: SeDebugPrivilege	2928	myccdd080721a.exe
Token: SeDebugPrivilege	2928	myccdd080721a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 4772	1348	bc0ee3e54b30159aba15019a51197300.exe	91
PID 1348 wrote to memory of 4772	1348	bc0ee3e54b30159aba15019a51197300.exe	91
PID 1348 wrote to memory of 4772	1348	bc0ee3e54b30159aba15019a51197300.exe	91
PID 4772 wrote to memory of 2936	4772	rundll32.exe	92
PID 4772 wrote to memory of 2936	4772	rundll32.exe	92
PID 4772 wrote to memory of 2936	4772	rundll32.exe	92
PID 1348 wrote to memory of 1112	1348	bc0ee3e54b30159aba15019a51197300.exe	93
PID 1348 wrote to memory of 1112	1348	bc0ee3e54b30159aba15019a51197300.exe	93
PID 1348 wrote to memory of 1112	1348	bc0ee3e54b30159aba15019a51197300.exe	93
PID 1112 wrote to memory of 4672	1112	cmd.exe	96
PID 1112 wrote to memory of 4672	1112	cmd.exe	96
PID 1112 wrote to memory of 4672	1112	cmd.exe	96
PID 2936 wrote to memory of 2928	2936	cmd.exe	97
PID 2936 wrote to memory of 2928	2936	cmd.exe	97
PID 2936 wrote to memory of 2928	2936	cmd.exe	97
PID 2928 wrote to memory of 400	2928	myccdd080721a.exe	103
PID 2928 wrote to memory of 400	2928	myccdd080721a.exe	103
PID 2928 wrote to memory of 400	2928	myccdd080721a.exe	103
PID 2928 wrote to memory of 3484	2928	myccdd080721a.exe	106
PID 2928 wrote to memory of 3484	2928	myccdd080721a.exe	106
PID 2928 wrote to memory of 3484	2928	myccdd080721a.exe	106
PID 3484 wrote to memory of 4664	3484	cmd.exe	108
PID 3484 wrote to memory of 4664	3484	cmd.exe	108
PID 3484 wrote to memory of 4664	3484	cmd.exe	108
PID 3484 wrote to memory of 3532	3484	cmd.exe	109
PID 3484 wrote to memory of 3532	3484	cmd.exe	109
PID 3484 wrote to memory of 3532	3484	cmd.exe	109
PID 3484 wrote to memory of 5048	3484	cmd.exe	110
PID 3484 wrote to memory of 5048	3484	cmd.exe	110
PID 3484 wrote to memory of 5048	3484	cmd.exe	110
PID 3484 wrote to memory of 4616	3484	cmd.exe	111
PID 3484 wrote to memory of 4616	3484	cmd.exe	111
PID 3484 wrote to memory of 4616	3484	cmd.exe	111
PID 3484 wrote to memory of 744	3484	cmd.exe	112
PID 3484 wrote to memory of 744	3484	cmd.exe	112
PID 3484 wrote to memory of 744	3484	cmd.exe	112
PID 3484 wrote to memory of 3184	3484	cmd.exe	114
PID 3484 wrote to memory of 3184	3484	cmd.exe	114
PID 3484 wrote to memory of 3184	3484	cmd.exe	114
PID 3484 wrote to memory of 5116	3484	cmd.exe	115
PID 3484 wrote to memory of 5116	3484	cmd.exe	115
PID 3484 wrote to memory of 5116	3484	cmd.exe	115
PID 3484 wrote to memory of 1644	3484	cmd.exe	116
PID 3484 wrote to memory of 1644	3484	cmd.exe	116
PID 3484 wrote to memory of 1644	3484	cmd.exe	116
PID 3484 wrote to memory of 5060	3484	cmd.exe	119
PID 3484 wrote to memory of 5060	3484	cmd.exe	119
PID 3484 wrote to memory of 5060	3484	cmd.exe	119
PID 3484 wrote to memory of 1672	3484	cmd.exe	120
PID 3484 wrote to memory of 1672	3484	cmd.exe	120
PID 3484 wrote to memory of 1672	3484	cmd.exe	120
PID 3484 wrote to memory of 1896	3484	cmd.exe	121
PID 3484 wrote to memory of 1896	3484	cmd.exe	121
PID 3484 wrote to memory of 1896	3484	cmd.exe	121
PID 3484 wrote to memory of 896	3484	cmd.exe	122
PID 3484 wrote to memory of 896	3484	cmd.exe	122
PID 3484 wrote to memory of 896	3484	cmd.exe	122
PID 3484 wrote to memory of 3424	3484	cmd.exe	123
PID 3484 wrote to memory of 3424	3484	cmd.exe	123
PID 3484 wrote to memory of 3424	3484	cmd.exe	123
PID 3484 wrote to memory of 3984	3484	cmd.exe	124
PID 3484 wrote to memory of 3984	3484	cmd.exe	124
PID 3484 wrote to memory of 3984	3484	cmd.exe	124
PID 3484 wrote to memory of 3692	3484	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300.exe
"C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\mywcc080721.dll bgdll
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\downf.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\myccdd080721a.exe
      "C:\Windows\system32\myccdd080721a.exe" i
      4⤵
      Adds policy Run key to start application
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\program files\internet explorer\iexplore.exe
        
        "C:\program files\internet explorer\iexplore.exe"
        5⤵
        
        PID:400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4664
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3532
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5048
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4616
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:744
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3184
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5116
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1644
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5060
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1672
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3424
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3984
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3692
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3572
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4284
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:992
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:736
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2452
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2156
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4940
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:864
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3612
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2004
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:756
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3152
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:384
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4204
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4636
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3184
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3612
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2428
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3520
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2908
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1664
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4976
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2224
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3840
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:712
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4444
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:756
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\myccdd080721a.exe

Filesize
76KB

MD5
bc0ee3e54b30159aba15019a51197300

SHA1
b02627317e03b6c669922fccc42ff4eb9da95d1a

SHA256
02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a

SHA512
20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798

Download Submit
C:\Windows\SysWOW64\mywcc080721.dll

Filesize
28KB

MD5
868feda0c9c6b32ac94b70fb19493b2b

SHA1
e59b08baa120a6f9b834844c9c2903662676e37c

SHA256
ae44365f29c76a748653f6f698624f7e1d7f6357a0b497833ca70264b1f34fb6

SHA512
7b4ad26f8dcc712cf7876969d489667e2598b92e4ea347f774b9234d5dda4984ad1d5f35572e3d0db4a06d656a16bcbcc18593b82537df04694b844ceedde048

Download Submit
C:\Windows\cc16.ini

Filesize
464B

MD5
8b0ff330d012caa6da471e9f750d65f9

SHA1
c25d96f5304547336729a7f1bfb10d2b6e450cd0

SHA256
445dc64d109e16064980934340c4c8fb0101c1ea861a65d49c71c4ec22fb4c31

SHA512
8b545b9f7d04b2de8615ee3cea6c688ae814bd24e3ccda214a9dc02c026ca51e69117aa6976b0a383f75607c5b3f3f443f556db305224b5cf9ef15e95c9c4905

Download Submit
C:\Windows\cc16.ini

Filesize
150B

MD5
dbda144b8729a84cca62b0f9d57610a7

SHA1
e749ebeedd1b953cf2da7cb6d53ff0b6fafe664b

SHA256
9c976bcf1b873d147c57fe3cfcb53251d2e33d37462124397013bf5204235a7f

SHA512
0c7ae7c802a78f67e12a5d8f1c97370be55f763bfdd1a38b5496f2165e842199031cee6129812f2ebc413a773820c9dc73db18e1d07f88bece36c84b4f3d9d9b

Download Submit
C:\downf.bat

Filesize
51B

MD5
2b724c6a8fcd230311547ed4e1b9d68e

SHA1
10355c1441991688bde91b7c02688f308bf00915

SHA256
3f77676fa2c0553c11b7277adcd2666bba06e22d4ce39f0ff3c3245eff645a0e

SHA512
48215bac2db84c0445d5c4bd80abe13fbdf0f6750c4bad1306a01283362e2e97ab8992be597634b803bd12892c682615c637dcbae36c5441e50fea5346bb374d

Download Submit
\??\c:\nmDelm.bat

Filesize
205B

MD5
5bff33021d707313de7a82ba7c39b336

SHA1
6b45d4473d543e05525ab37fac255b0d534a11f9

SHA256
aab86b798faa1c8e49c78d23aaa7a711362d4056ccc609a9c711d27e0432b3f9

SHA512
c684245b57fcfb50b4c599654e81b3a791cbb37e2ccbf66eb08380418d1145636517fdb096dae2208b9db7aa6641a1f81d0ff1a823101df219737088a061aade

Download Submit
\??\c:\nmDelm.bat

Filesize
139B

MD5
3a1bd2916250a4d03a63c8877a0098be

SHA1
fe761cbb2533906e4a6c5604a79d0c0bf94fd87f

SHA256
8183f9a2b8b37f4a70e5296c85d9fff3cba80a6950314d9900026dfc84a00a9d

SHA512
d1d03acc696e6b660ddb61c217665f5d202907e4548df4e17c92183490a2bc98c3cb9492a1e3aa678a17c5e8096ba05190c02e918aa4ca0123ca6e50e485e849

Download Submit
memory/4772-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4772-38-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download