Overview

overview

7

Static

static

3

bc41ca8b28...dc.exe

windows7-x64

7

bc41ca8b28...dc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2024, 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc41ca8b28cefbef19913892893b6fdc.exe

  • Size

    24KB

  • MD5

    bc41ca8b28cefbef19913892893b6fdc

  • SHA1

    7873b97f271893da5977b7033e1d1ffca194e682

  • SHA256

    dc1a821510bb64fab32a16c29d554fa23f474d2e63ad250d2756a4f4c3a1501e

  • SHA512

    72a12937274234100222afd02f6e31e3de607127fe5850aaa8cfb0fa2253ede0561a46cc5c080ddb6cec99e8009d61438e7fde8040c65be994a0f2f12ef41627

  • SSDEEP

    384:Hw8s6S7GEsv9pWDeAFBis/QhGvsFTM9/7/qI0RSojYE0W:Hw8QGEM8DeA7i+QhGvsFgiI0RS

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc41ca8b28cefbef19913892893b6fdc.exe
    "C:\Users\Admin\AppData\Local\Temp\bc41ca8b28cefbef19913892893b6fdc.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\systxm32\svchost.exe
      C:\Windows\systxm32\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 92
        3⤵
        • Program crash
        PID:2092
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\install.inf
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\runonce.exe
        "C:\Windows\system32\runonce.exe" -r
        3⤵
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\SysWOW64\grpconv.exe
          "C:\Windows\System32\grpconv.exe" -o
          4⤵
            PID:2468
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "" .bat""
        2⤵
        • Deletes itself
        PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ .bat
      Filesize

      2KB

      MD5

      397d0c0d2ee36edc74904235108f9660

      SHA1

      edf4e335ed9a649f83a76012bd232f285fd843c2

      SHA256

      9303dc9d19cea525ef0aa2b431b2fd642da1d9d64555ebbd7d52c49f7e1c5a02

      SHA512

      5a560ede526be84a15618fab61147b162535195b2caceee78bd9c8100d5ff8f96cf0cbe0ac21db2d42663376ed4849ea3d0a4927065bea8ff97079b87821ccae

      Download Submit

    • C:\Windows\install.inf
      Filesize

      2KB

      MD5

      9716ebac351c551a7e64d6f819ffd8b5

      SHA1

      9cdf8d7f0e5bd93138df1e2c920e73c2472d3ae6

      SHA256

      0a36fcbaae3f4af6b4e087b0e1ec5cdf129b7e6c8c6703a5b6c1dc56082cbfec

      SHA512

      c3db55880764af3fc9dd8de37af456919ab9f123753c68e4b48cbe410cbbd2d12f05ca241ca41f7b053602c2d01f40e77c5242d90413a3ec134967e023b02faa

      Download Submit

    • \Windows\systxm32\svchost.exe
      Filesize

      24KB

      MD5

      bc41ca8b28cefbef19913892893b6fdc

      SHA1

      7873b97f271893da5977b7033e1d1ffca194e682

      SHA256

      dc1a821510bb64fab32a16c29d554fa23f474d2e63ad250d2756a4f4c3a1501e

      SHA512

      72a12937274234100222afd02f6e31e3de607127fe5850aaa8cfb0fa2253ede0561a46cc5c080ddb6cec99e8009d61438e7fde8040c65be994a0f2f12ef41627

      Download Submit