601eed3a9c30f193cacbb575774b6e97f689f3de925043abd67ec5b2daabe0dd

General

Target

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Size

169KB
MD5

bc3c5ef1f273c9cf85ee33f2301fd8a2
SHA1

7d85f0c59b1fc3d9a6228e2569af7d955ef8ae6c
SHA256

601eed3a9c30f193cacbb575774b6e97f689f3de925043abd67ec5b2daabe0dd
SHA512

2988f919f04d27312636bc9f4f1e6413070136db283a16ad067d5b6f1ee96fafb29060846f4644db9277d37ea631c8adc95f28456e52c929bdc5001e7e6d1c24
SSDEEP

3072:fxHO3jT5823suijFBLJOA0aAWlEhlVYkM0og+K+s8ZXtI2RmpelUTk:fxeT5823k3YAjlUFM0og6sMqAmA

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

serversqlceoledb.exeofficeodffilt.exechromeminiinstaller106.0.5249.119.exewindowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe

pid	process
1456	serversqlceoledb.exe
1452	officeodffilt.exe
556	chromeminiinstaller106.0.5249.119.exe
564	windowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe

Loads dropped DLL 10 IoCs

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exechromeminiinstaller106.0.5249.119.exe

pid	process
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
556	chromeminiinstaller106.0.5249.119.exe
556	chromeminiinstaller106.0.5249.119.exe
556	chromeminiinstaller106.0.5249.119.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Openodffilt = "c:\\program files (x86)\\common files\\microsoft shared\\filters\\officeodffilt.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\HelpMicrosoft = "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\helpmicrosoft.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bc3c5ef1f273c9cf85ee33f2301fd8a2.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Chromeminiinstaller106.0.5249.119 = "c:\\program files (x86)\\google\\update\\download\\{8a69d345-d564-463c-aff1-a69d9e530f96}\\106.0.5249.119\\chromeminiinstaller106.0.5249.119.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SQLCECASQLCEOLEDB = "c:\\program files (x86)\\microsoft sql server compact edition\\v3.5\\serversqlceoledb.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HXDSUIMicrosoft = "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\hxdsuimicrosoft.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\msadcermsdaremr6.1.7600.16385 = "c:\\program files (x86)\\common files\\system\\msadc\\de-de\\windowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bc3c5ef1f273c9cf85ee33f2301fd8a2.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

Drops file in System32 directory 5 IoCs

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exeserversqlceoledb.exeofficeodffilt.exechromeminiinstaller106.0.5249.119.exewindowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	serversqlceoledb.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	officeodffilt.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	chromeminiinstaller106.0.5249.119.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	windowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe

Drops file in Program Files directory 7 IoCs

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\HelpMicrosoft.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\HXDSUIMicrosoft.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\Officeodffilt.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\WindowsBetriebssystemmsdaremr6.1.7600.163857.0907131255.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\Chromeminiinstaller106.0.5249.119.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\Chromeminiinstaller106.0.5249.119.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ServerSQLCEOLEDB.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

pid	process
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

description	pid	process	target process
PID 1844 wrote to memory of 1456	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	serversqlceoledb.exe
PID 1844 wrote to memory of 1456	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	serversqlceoledb.exe
PID 1844 wrote to memory of 1456	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	serversqlceoledb.exe
PID 1844 wrote to memory of 1456	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	serversqlceoledb.exe
PID 1844 wrote to memory of 1452	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	officeodffilt.exe
PID 1844 wrote to memory of 1452	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	officeodffilt.exe
PID 1844 wrote to memory of 1452	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	officeodffilt.exe
PID 1844 wrote to memory of 1452	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	officeodffilt.exe
PID 1844 wrote to memory of 556	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	chromeminiinstaller106.0.5249.119.exe
PID 1844 wrote to memory of 556	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	chromeminiinstaller106.0.5249.119.exe
PID 1844 wrote to memory of 556	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	chromeminiinstaller106.0.5249.119.exe
PID 1844 wrote to memory of 556	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	chromeminiinstaller106.0.5249.119.exe
PID 1844 wrote to memory of 556	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	chromeminiinstaller106.0.5249.119.exe
PID 1844 wrote to memory of 556	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	chromeminiinstaller106.0.5249.119.exe
PID 1844 wrote to memory of 556	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	chromeminiinstaller106.0.5249.119.exe
PID 1844 wrote to memory of 564	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	windowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe
PID 1844 wrote to memory of 564	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	windowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe
PID 1844 wrote to memory of 564	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	windowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe
PID 1844 wrote to memory of 564	1844	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe	windowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe

C:\Users\Admin\AppData\Local\Temp\bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
"C:\Users\Admin\AppData\Local\Temp\bc3c5ef1f273c9cf85ee33f2301fd8a2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844

\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\serversqlceoledb.exe
"c:\program files (x86)\microsoft sql server compact edition\v3.5\serversqlceoledb.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456

\??\c:\program files (x86)\common files\microsoft shared\filters\officeodffilt.exe
"c:\program files (x86)\common files\microsoft shared\filters\officeodffilt.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1452

\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\106.0.5249.119\chromeminiinstaller106.0.5249.119.exe
"c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\106.0.5249.119\chromeminiinstaller106.0.5249.119.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:556

\??\c:\program files (x86)\common files\system\msadc\de-de\windowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe
"c:\program files (x86)\common files\system\msadc\de-de\windowsbetriebssystemmsdaremr6.1.7600.163857.0907131255.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\HelpMicrosoft.exe
Filesize
169KB

MD5
bc3c5ef1f273c9cf85ee33f2301fd8a2

SHA1
7d85f0c59b1fc3d9a6228e2569af7d955ef8ae6c

SHA256
601eed3a9c30f193cacbb575774b6e97f689f3de925043abd67ec5b2daabe0dd

SHA512
2988f919f04d27312636bc9f4f1e6413070136db283a16ad067d5b6f1ee96fafb29060846f4644db9277d37ea631c8adc95f28456e52c929bdc5001e7e6d1c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\w5CA1.tmp
Filesize
8KB

MD5
78bd46b27a198a8e90c81a5b36f1e309

SHA1
4709cc38dca2d634bedd66b850a64fd15d1fb9b3

SHA256
04f833594e76128b8ffbc6118b67ce622aa9ecf3f884d2c4dd353425c68ff57e

SHA512
c5ca11461dc2997b031eb0f4c205ad320c56854830dc48aadde3b1ea0591717c4181387edc5f8a5d0d07e9239240a42095fa2ad38fd16c431084c4c2048148f5

Download Submit
memory/556-243-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/556-449-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/556-246-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/564-521-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/564-321-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/564-320-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/564-319-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1452-158-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1452-159-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1452-157-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1452-345-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1456-245-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1456-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1456-77-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1456-76-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1844-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1844-96-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1844-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1844-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads