c18069071b7dd3fb2362713d823b5f3f20b41f23b02b044a4921cc12d6a30f5d

General

Target

bc7feeb8c4bf7df8322d38670e5256ec.exe
Size

933KB
MD5

bc7feeb8c4bf7df8322d38670e5256ec
SHA1

08ff287680445e62e3fdedacb7299593f7073595
SHA256

c18069071b7dd3fb2362713d823b5f3f20b41f23b02b044a4921cc12d6a30f5d
SHA512

e141bb571507c836263352eabb5b702a4eef651661a810134081c67fd48ef3741216f64ca5b452332d005ec4c9f0c067e65af4f32bf5730f5fdc762e51d94f87
SSDEEP

24576:GgsQqp+kTBx9pCJMyYJ1kqysQwq3oipECeErt3rY:d9MCCTJ1nyBoipEvEpr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2592	6076655.exe

Loads dropped DLL 4 IoCs

pid	Process
2556	cmd.exe
2556	cmd.exe
2592	6076655.exe
2592	6076655.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bc7feeb8c4bf7df8322d38670e5256ec = "\"C:\\Users\\Admin\\AppData\\Local\\6076655.exe\" 0 23 "	bc7feeb8c4bf7df8322d38670e5256ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\6076655 = "\"C:\\Users\\Admin\\AppData\\Local\\6076655.exe\" 0 44 "	6076655.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2108	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2592	6076655.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe
2592	6076655.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2556	2904	bc7feeb8c4bf7df8322d38670e5256ec.exe	28
PID 2904 wrote to memory of 2556	2904	bc7feeb8c4bf7df8322d38670e5256ec.exe	28
PID 2904 wrote to memory of 2556	2904	bc7feeb8c4bf7df8322d38670e5256ec.exe	28
PID 2904 wrote to memory of 2556	2904	bc7feeb8c4bf7df8322d38670e5256ec.exe	28
PID 2556 wrote to memory of 2108	2556	cmd.exe	30
PID 2556 wrote to memory of 2108	2556	cmd.exe	30
PID 2556 wrote to memory of 2108	2556	cmd.exe	30
PID 2556 wrote to memory of 2108	2556	cmd.exe	30
PID 2556 wrote to memory of 2592	2556	cmd.exe	31
PID 2556 wrote to memory of 2592	2556	cmd.exe	31
PID 2556 wrote to memory of 2592	2556	cmd.exe	31
PID 2556 wrote to memory of 2592	2556	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\bc7feeb8c4bf7df8322d38670e5256ec.exe
"C:\Users\Admin\AppData\Local\Temp\bc7feeb8c4bf7df8322d38670e5256ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8668815.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v bc7feeb8c4bf7df8322d38670e5256ec /f
    3⤵
    - Modifies registry key
    PID:2108
- - C:\Users\Admin\AppData\Local\6076655.exe
    C:\Users\Admin\AppData\Local\6076655.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6076655.exe

Filesize
60KB

MD5
681fee57dbf2f8af129b5192936e456e

SHA1
a9de6fae5ce45e91a76e0a48576af1164a996c1b

SHA256
be69c751a13517d6cb165496ee4d3c52384c532b5d1267589542e39e028ce9fb

SHA512
5e4e4dce74cccd09f275865b4a0fd9b4d688ae88bfebc77e2d4628ef4f779dff52f6d7bd036ec3d3825872ce3dd714f73d2a6df22d4b0e802a2b4a10263e1999

Download Submit
C:\Users\Admin\AppData\Local\6076655.exe

Filesize
81KB

MD5
3caccea56327ab42ff6be5990a6b2fe1

SHA1
4e941ba34b4813b9ed6d5bb58842770ca2cf6b0f

SHA256
e24235e3c9ea11cf4dc5d0e18d3ce99ad4b0f19791dd3ec0ec1b0c267f7e71d8

SHA512
04dd3eb7f535cd829d6b0ddc79ee6c1bf99b0e021ce15fa582fe30b619194593ad743b2730a6fe53ad8e88a3bcccf12026794ffd66af5db7b25dd02718f8beb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8668815.bat

Filesize
424B

MD5
ac084052dad0fc57039c1641237f19da

SHA1
790034a29a7a6751576dbedc657c2d161ff5b9b1

SHA256
35074017fab970bd2374b50de18bd81574372a6f3194ec37645eb83fd0da6703

SHA512
83ff50c7d21cdb4b3166178132e1c0e37c9f6120f8d5f0cfc518b07d83719084075b44ef277b0650678135b87b52942e5c46d952c5b2cded8c1a4cde20a5b8ab

Download Submit
\Users\Admin\AppData\Local\6076655.exe

Filesize
25KB

MD5
3eb7958443a99481f079ff4c0c15972f

SHA1
4eb4b3296c334815c21ea1bef5b221e44c09d81f

SHA256
b8d99d9951ad71e2cda7283d51d82353e2140a1a83b78f88721b251ad39d70e6

SHA512
274d90c8a684c7c3839424038f2f64cd0a66c09b3606676b2079effa4b70657a48792c16e22fbfb3616aca2a1a4955a3f5c2bf4905fc38eec58ac3d3ca21187e

Download Submit
\Users\Admin\AppData\Local\6076655.exe

Filesize
42KB

MD5
755d270e28ac30d3cc8fa2e167dece6a

SHA1
b13feb4b59357357ef9c643e01e1bcf957c74097

SHA256
d6ea3b041577c290463fa23361ee257f781ebfe4cb6617693f7f589eef8e3670

SHA512
adf176ee7b696a48ef11f828ca52a020d4e47e61f3b6ec9bde8164cf5eb48abed63d679d8774d0169c9cdb8f70c4b541253d089e200b608a2724a5f80e449c41

Download Submit
\Users\Admin\AppData\Local\6076655.exe

Filesize
862KB

MD5
a99097d62e3e9595f2a604375a6e0828

SHA1
c9dbfb52c323fe2aedff8f4ac864cc1226f1fdf7

SHA256
d349065d50663e977c5a92cd87053e4c6b14ed5534fa97709a169d71d357440b

SHA512
4a826f5717c1d032e5c74ad1123ad4ae3ed7f102758a4a1a9a4b82724b620672378e45d255855a142b6ded6672c2e8acb96e4db28c103b276f37c14565772f0d

Download Submit
\Users\Admin\AppData\Local\6076655.exe

Filesize
933KB

MD5
bc7feeb8c4bf7df8322d38670e5256ec

SHA1
08ff287680445e62e3fdedacb7299593f7073595

SHA256
c18069071b7dd3fb2362713d823b5f3f20b41f23b02b044a4921cc12d6a30f5d

SHA512
e141bb571507c836263352eabb5b702a4eef651661a810134081c67fd48ef3741216f64ca5b452332d005ec4c9f0c067e65af4f32bf5730f5fdc762e51d94f87

Download Submit
memory/2592-28-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-30-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-46-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-21-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-22-0x0000000000990000-0x0000000000B90000-memory.dmp

Filesize
2.0MB

Download
memory/2592-23-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2592-25-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2592-40-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-39-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-31-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-38-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-29-0x0000000000990000-0x0000000000B90000-memory.dmp

Filesize
2.0MB

Download
memory/2592-37-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-32-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2592-33-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2592-34-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2592-36-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2904-14-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2904-3-0x00000000003B0000-0x00000000003B2000-memory.dmp

Filesize
8KB

Download
memory/2904-4-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2904-1-0x0000000000400000-0x0000000000831147-memory.dmp

Filesize
4.2MB

Download
memory/2904-2-0x0000000000CA0000-0x0000000000EA0000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads