Overview

overview

7

Static

static

3

bcd47dfcab...30.exe

windows7-x64

7

bcd47dfcab...30.exe

windows10-1703-x64

7

bcd47dfcab...30.exe

windows10-2004-x64

7

bcd47dfcab...30.exe

windows11-21h2-x64

7

Resubmissions

10/04/2024, 02:20

240410-csmdnsbh67 7

10/04/2024, 02:20

240410-cslr5sfc3v 7

10/04/2024, 02:20

240410-csk6lsbh66 7

10/04/2024, 02:20

240410-cskvvafc3t 7

07/02/2024, 00:55

240207-a9wbssahf7 7

04/02/2024, 03:30

240204-d2n5asafcp 7

01/02/2024, 05:13

240201-fwg5xacad9 7

24/12/2023, 22:44

231224-2nv8fsggd7 10

Analysis

  • max time kernel
    296s
  • max time network
    303s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 02:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcd47dfcab580e884a5bf936e5b243a0cb83b6ddf7a48c669328ddd1893fa830.exe

  • Size

    3.0MB

  • MD5

    715b2b88bb473680a983c6a60c69491f

  • SHA1

    e909cdb4618307a1df57a58702f0bff72c0164f8

  • SHA256

    bcd47dfcab580e884a5bf936e5b243a0cb83b6ddf7a48c669328ddd1893fa830

  • SHA512

    1e216aecf4bb7810cc58e943939b5458343e9858ee1419bdf7a4daaf92b04d0ea86ae270dccb5f8e5fcdfb70c084ac744b157d53b20ad34f3eba52f1d073d81b

  • SSDEEP

    24576:+0aQZvWqj2YB+nFLaLfaUY3Y2RlGemVFrmzTe8Kt8YsfhIyRSMG1czjqyDQKijNe:+09EGZeUZ24rUTRtg8d4NOkFVyrdR

Score
7/10
collectiondiscoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcd47dfcab580e884a5bf936e5b243a0cb83b6ddf7a48c669328ddd1893fa830.exe
    "C:\Users\Admin\AppData\Local\Temp\bcd47dfcab580e884a5bf936e5b243a0cb83b6ddf7a48c669328ddd1893fa830.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Roaming\your_app_name.exe
      "C:\Users\Admin\AppData\Roaming\your_app_name.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "your_app_name" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\your_app_name.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Roaming\your_app_name.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\your_app_name.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2648
          • C:\Windows\system32\timeout.exe
            timeout /t 3
            4⤵
            • Delays execution with timeout.exe
            PID:2592
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn "your_app_name" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\your_app_name.exe" /rl HIGHEST /f
            4⤵
            • Creates scheduled task(s)
            PID:1588
          • C:\Users\Admin\AppData\Local\RobloxSecurity\your_app_name.exe
            "C:\Users\Admin\AppData\Local\RobloxSecurity\your_app_name.exe"
            4⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2628
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:268
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1096
                • C:\Windows\system32\netsh.exe
                  netsh wlan show profiles
                  6⤵
                    PID:1724
                  • C:\Windows\system32\findstr.exe
                    findstr /R /C:"[ ]:[ ]"
                    6⤵
                      PID:2072
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1180
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      6⤵
                        PID:2000
                      • C:\Windows\system32\netsh.exe
                        netsh wlan show networks mode=bssid
                        6⤵
                          PID:2804
                        • C:\Windows\system32\findstr.exe
                          findstr "SSID BSSID Signal"
                          6⤵
                            PID:1544
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {20F0C7A7-B237-4064-B170-D0E6FB9148AC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2188
                  • C:\Users\Admin\AppData\Local\RobloxSecurity\your_app_name.exe
                    C:\Users\Admin\AppData\Local\RobloxSecurity\your_app_name.exe
                    2⤵
                    • Executes dropped EXE
                    • Accesses Microsoft Outlook profiles
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • outlook_office_path
                    • outlook_win_path
                    PID:2056
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2912
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        4⤵
                          PID:1472
                        • C:\Windows\system32\netsh.exe
                          netsh wlan show profiles
                          4⤵
                            PID:1188
                          • C:\Windows\system32\findstr.exe
                            findstr /R /C:"[ ]:[ ]"
                            4⤵
                              PID:1372
                          • C:\Windows\system32\cmd.exe
                            "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2728
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              4⤵
                                PID:2764
                              • C:\Windows\system32\netsh.exe
                                netsh wlan show networks mode=bssid
                                4⤵
                                  PID:1968
                                • C:\Windows\system32\findstr.exe
                                  findstr "SSID BSSID Signal"
                                  4⤵
                                    PID:1944

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                              Filesize

                              68KB

                              MD5

                              29f65ba8e88c063813cc50a4ea544e93

                              SHA1

                              05a7040d5c127e68c25d81cc51271ffb8bef3568

                              SHA256

                              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                              SHA512

                              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                              Filesize

                              344B

                              MD5

                              abe3f7765c05e7b6741f183a26cf7046

                              SHA1

                              ab99705aefcf6a639157c2ed0fd4acd8a82273af

                              SHA256

                              8d8638ae0644fd6e23b35a96ce7cfa1eaaba6a1e1d38cf9516e214d897f73831

                              SHA512

                              aa7eae359fec58c3d04d950934bb7fa61117d8978c81fb01459a0520342469438d6cbfde95148e1efc7d8995cd362bd09dbd117399bef0039347840f23562b6b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\TarB949.tmp
                              Filesize

                              177KB

                              MD5

                              435a9ac180383f9fa094131b173a2f7b

                              SHA1

                              76944ea657a9db94f9a4bef38f88c46ed4166983

                              SHA256

                              67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                              SHA512

                              1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                              Download Submit

                            • C:\Users\Admin\AppData\Local\sfm099xrhk\p.dat
                              Filesize

                              4B

                              MD5

                              22b1f2e0983160db6f7bb9f62f4dbb39

                              SHA1

                              4f12c3d54b0dbc8d912825dbed99fce00aa76abc

                              SHA256

                              4d5f60d62b859ce230607dc271d27378a876b60c24c5de0832f2df98c0b46b9b

                              SHA512

                              b30458d652cdde4cc02b473786b2f43f731a28d7e05672120b1ff548ffa0567a398bff90a3fbbe2e2ab844ff64378088bbcf1fe868d4206f340881e891881dd8

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\your_app_name.exe
                              Filesize

                              119KB

                              MD5

                              b00bd190f37328c060a0446e6414de72

                              SHA1

                              77c019f6d4beba4fd716dca07c83ca328c3a9946

                              SHA256

                              cc9e5bfeb86b7fe80b33a4004eb0912820f09dec29a426a8a4136f7306c08d04

                              SHA512

                              ed0872416306e848813df3408ee0d8a0c118dda262052baeb92f38a9a5fd695824debe790a35916a6b1008157cbc45ff77ea1795fb8a82d8448f0d91141abd8c

                              Download Submit

                            • memory/2056-136-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/2056-195-0x000000001B180000-0x000000001B200000-memory.dmp

                              Filesize

                              512KB

                              Download

                            • memory/2056-194-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/2552-5-0x0000000000230000-0x0000000000254000-memory.dmp

                              Filesize

                              144KB

                              Download

                            • memory/2552-6-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/2552-7-0x0000000000520000-0x00000000005A0000-memory.dmp

                              Filesize

                              512KB

                              Download

                            • memory/2552-10-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/2628-138-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/2628-16-0x000000001B430000-0x000000001B4B0000-memory.dmp

                              Filesize

                              512KB

                              Download

                            • memory/2628-193-0x000000001B430000-0x000000001B4B0000-memory.dmp

                              Filesize

                              512KB

                              Download

                            • memory/2628-15-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/2628-14-0x0000000000290000-0x00000000002B4000-memory.dmp

                              Filesize

                              144KB

                              Download