Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 14:47
Static task
static1
Behavioral task
behavioral1
Sample
bee085e0c4f557c4dc7e3b82330d12c5.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
bee085e0c4f557c4dc7e3b82330d12c5.exe
Resource
win10v2004-20240226-en
General
-
Target
bee085e0c4f557c4dc7e3b82330d12c5.exe
-
Size
390KB
-
MD5
bee085e0c4f557c4dc7e3b82330d12c5
-
SHA1
5989a51f7656f176747ff51402c2e52234a8d9b6
-
SHA256
72b3420970e333b8b85395e05ddec33859fb4af13cf8c223dea462df9ea53553
-
SHA512
85c4d03e810b535b478314564e9e99af74717e451e81be7029df421741228eb2c2e1a42977f7144d1e9f91c9298d027f2694d462f7e59b745493d38106055a2e
-
SSDEEP
6144:ui16CMveKPojilIk1XRghbzkK5U+eKHXi6oltNI8IG6SSeCKif6UWef3SOfsK/Zh:u5C/jk/ufkK5UcHboFcGjUWe/nZZPJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2712 bnadgd.exe -
Loads dropped DLL 2 IoCs
pid Process 3064 bee085e0c4f557c4dc7e3b82330d12c5.exe 3064 bee085e0c4f557c4dc7e3b82330d12c5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\prmk = "\"c:\\windows\\system32\\wdi\\bnadgd.exe\"" bee085e0c4f557c4dc7e3b82330d12c5.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\wdi\bnadgd.exe bee085e0c4f557c4dc7e3b82330d12c5.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\b9559a31.log bee085e0c4f557c4dc7e3b82330d12c5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3064 bee085e0c4f557c4dc7e3b82330d12c5.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3064 bee085e0c4f557c4dc7e3b82330d12c5.exe 2712 bnadgd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2712 3064 bee085e0c4f557c4dc7e3b82330d12c5.exe 30 PID 3064 wrote to memory of 2712 3064 bee085e0c4f557c4dc7e3b82330d12c5.exe 30 PID 3064 wrote to memory of 2712 3064 bee085e0c4f557c4dc7e3b82330d12c5.exe 30 PID 3064 wrote to memory of 2712 3064 bee085e0c4f557c4dc7e3b82330d12c5.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\bee085e0c4f557c4dc7e3b82330d12c5.exe"C:\Users\Admin\AppData\Local\Temp\bee085e0c4f557c4dc7e3b82330d12c5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\windows\SysWOW64\wdi\bnadgd.exe"C:\windows\system32\wdi\bnadgd.exe" /i2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96B
MD5933a243d4d6dcbe1d406d303daf73a35
SHA1bd4f2fd04f16b2f74a84ff72f3d41acc000cd6b0
SHA25642f79f2b10b20b8fa99242f2757ba94343194c628a840aa57d7412f61f68d5bc
SHA51244de72c8a78bc3999ef675b3fd26ac20a4425a2519b0e2fddcdb7a5f696642f47add626358fdb0cb11e60e62d97bae958f083fbca81c0f3b884c59948a8ca786
-
Filesize
390KB
MD5bee085e0c4f557c4dc7e3b82330d12c5
SHA15989a51f7656f176747ff51402c2e52234a8d9b6
SHA25672b3420970e333b8b85395e05ddec33859fb4af13cf8c223dea462df9ea53553
SHA51285c4d03e810b535b478314564e9e99af74717e451e81be7029df421741228eb2c2e1a42977f7144d1e9f91c9298d027f2694d462f7e59b745493d38106055a2e