07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
submitted
05/04/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bullpen12.exe
Size

5.6MB
MD5

3abe68c3c880232b833c674d9b1034ce
SHA1

ab8d0c6b7871b01aadac9d8e775b2a305bc38a6b
SHA256

07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92
SHA512

bb44f8d068e360427fde7015d7b845ecd1f58f4f11317e6fa1a86f24a2744f23e5f60c9019818a800f4a01214513be4978126edda298778b3f9b19d8c7096351
SSDEEP

49152:ZBCullUWc8G8kH20J22Bjpd4a6KUaOe1qE2j9x4nzgqr5zwf+dUIyRutm+tIJSKq:gH2aQa6eOt4ZDeDPkv1P

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
432	TypeId.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	taskeng.exe
2188	taskeng.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
432	TypeId.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	bullpen12.exe
Token: SeDebugPrivilege	432	TypeId.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 432	2188	taskeng.exe	32
PID 2188 wrote to memory of 432	2188	taskeng.exe	32
PID 2188 wrote to memory of 432	2188	taskeng.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bullpen12.exe
"C:\Users\Admin\AppData\Local\Temp\bullpen12.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\taskeng.exe
taskeng.exe {1BDE737F-B92F-46D8-8EB3-76E1B560AD4F} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\CanReuseTransform\hzawny\TypeId.exe
  C:\Users\Admin\AppData\Local\CanReuseTransform\hzawny\TypeId.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\CanReuseTransform\hzawny\TypeId.exe

Filesize
5.6MB

MD5
3abe68c3c880232b833c674d9b1034ce

SHA1
ab8d0c6b7871b01aadac9d8e775b2a305bc38a6b

SHA256
07632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92

SHA512
bb44f8d068e360427fde7015d7b845ecd1f58f4f11317e6fa1a86f24a2744f23e5f60c9019818a800f4a01214513be4978126edda298778b3f9b19d8c7096351

Download Submit
memory/432-2225-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download
memory/432-2227-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/432-2226-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

Filesize
9.9MB

Download
memory/432-4438-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

Filesize
9.9MB

Download
memory/432-4448-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/432-4444-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/432-4440-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/432-4439-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/2864-35-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-43-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-6-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-7-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-9-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-11-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-13-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-15-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-17-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-19-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-21-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-23-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-25-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-27-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-29-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-31-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-33-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-4-0x000000001BA50000-0x000000001BAD0000-memory.dmp

Filesize
512KB

Download
memory/2864-37-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-39-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-41-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-5-0x000000001AFA0000-0x000000001B088000-memory.dmp

Filesize
928KB

Download
memory/2864-45-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-47-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-49-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-51-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-53-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-55-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-57-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-59-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-61-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-63-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-65-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-67-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-3-0x000000001BA50000-0x000000001BAD0000-memory.dmp

Filesize
512KB

Download
memory/2864-2-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-1-0x0000000002340000-0x00000000023DC000-memory.dmp

Filesize
624KB

Download
memory/2864-0-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download
memory/2864-69-0x000000001AFA0000-0x000000001B082000-memory.dmp

Filesize
904KB

Download
memory/2864-2215-0x000000001AD00000-0x000000001AD56000-memory.dmp

Filesize
344KB

Download
memory/2864-2216-0x0000000002500000-0x000000000254C000-memory.dmp

Filesize
304KB

Download
memory/2864-2217-0x000000001B090000-0x000000001B0E4000-memory.dmp

Filesize
336KB

Download
memory/2864-2220-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download