2df2b91e5d15ae8949a4af4c03ccc117df90de515b3600f5ff29257f2a940ed5

Analysis

max time kernel
146s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcbfd1f804b7e8781b155bd0dc62683b.exe
Size

7.6MB
MD5

bcbfd1f804b7e8781b155bd0dc62683b
SHA1

3dd33159a1805dbdf952ee8d74ab84ae42ecc70a
SHA256

2df2b91e5d15ae8949a4af4c03ccc117df90de515b3600f5ff29257f2a940ed5
SHA512

4a47991410807b4992d69ac7a8fcede1d7ecdcfb5d2235c22c4eefe91fe8d229367c70ef6599bff21fc8d8f4bac226d10b077fe7dd361d50643316a03cca708c
SSDEEP

196608:AELDBUKxrihjALc7lNyt6xm0A65n+3BOb6kYhAHd5R:AELD3My47lRA6RsOb6kxHdP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	is-80MRA.tmp

Loads dropped DLL 4 IoCs

pid	Process
2280	bcbfd1f804b7e8781b155bd0dc62683b.exe
2688	is-80MRA.tmp
2688	is-80MRA.tmp
2688	is-80MRA.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	is-80MRA.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2688	2280	bcbfd1f804b7e8781b155bd0dc62683b.exe	28
PID 2280 wrote to memory of 2688	2280	bcbfd1f804b7e8781b155bd0dc62683b.exe	28
PID 2280 wrote to memory of 2688	2280	bcbfd1f804b7e8781b155bd0dc62683b.exe	28
PID 2280 wrote to memory of 2688	2280	bcbfd1f804b7e8781b155bd0dc62683b.exe	28
PID 2280 wrote to memory of 2688	2280	bcbfd1f804b7e8781b155bd0dc62683b.exe	28
PID 2280 wrote to memory of 2688	2280	bcbfd1f804b7e8781b155bd0dc62683b.exe	28
PID 2280 wrote to memory of 2688	2280	bcbfd1f804b7e8781b155bd0dc62683b.exe	28

C:\Users\Admin\AppData\Local\Temp\bcbfd1f804b7e8781b155bd0dc62683b.exe
"C:\Users\Admin\AppData\Local\Temp\bcbfd1f804b7e8781b155bd0dc62683b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\is-RRL1S.tmp\is-80MRA.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RRL1S.tmp\is-80MRA.tmp" /SL4 $8001C "C:\Users\Admin\AppData\Local\Temp\bcbfd1f804b7e8781b155bd0dc62683b.exe" 7589537 50176
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-L55G8.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-L55G8.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-RRL1S.tmp\is-80MRA.tmp

Filesize
614KB

MD5
307cff04833a9a7a0b2f8e044e435336

SHA1
798b2645884fa4e7d3f53016afc1290796b6110a

SHA256
e0f5f9b9a568a2894fde04cb2007c510476c88fba3b3ec90a656bff33646fff4

SHA512
3ea0917077f22fbd00ea6d541bbcccb6565ed794bd0b38fcf3315c3dcd2d231973828a6bd83d750418e255e3892e93d1b3eefcade8bb482a9e2005b16d6f1292

Download Submit
memory/2280-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2280-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2280-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2688-16-0x00000000005F0000-0x000000000062C000-memory.dmp

Filesize
240KB

Download
memory/2688-19-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2688-20-0x00000000005F0000-0x000000000062C000-memory.dmp

Filesize
240KB

Download
memory/2688-38-0x00000000005F0000-0x000000000062C000-memory.dmp

Filesize
240KB

Download