Overview

overview

8

Static

static

3

bd069e479d...79.exe

windows7-x64

8

bd069e479d...79.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 07:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bd069e479df57440bfabe8349a3f32d6bd91addeea22ab03f48e1826a521b179.exe

  • Size

    3.4MB

  • MD5

    5f04cf580b375ac90caf75930fd866e7

  • SHA1

    f12c5c67b3c4df42b9c08cfd67b111c58f6f5df8

  • SHA256

    bd069e479df57440bfabe8349a3f32d6bd91addeea22ab03f48e1826a521b179

  • SHA512

    a6b428c8f8120e3aff6f9e0f6a77c5c3dcbaec0ab8995ef8ab3cb3977d8ee5f543bbe4fe8e982e2f9d3f11b243fa7756ac0a31e13a917e46189dc88ccfd502dd

  • SSDEEP

    49152:kDpDi4lvfCPOjVqNUzAYzpIHBLCSp740Wc4:WpDNANMzpIcWSc4

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 18 IoCs
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd069e479df57440bfabe8349a3f32d6bd91addeea22ab03f48e1826a521b179.exe
    "C:\Users\Admin\AppData\Local\Temp\bd069e479df57440bfabe8349a3f32d6bd91addeea22ab03f48e1826a521b179.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\MSOCache\test.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\MSOCache\start.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set opmode disable
          4⤵
          • Modifies Windows Firewall
          PID:2880
        • C:\MSOCache\jusched.exe
          C:\MSOCache\jusched.exe /I
          4⤵
          • Executes dropped EXE
          PID:2112
        • C:\Windows\SysWOW64\net.exe
          net start Taskmngr
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start Taskmngr
            5⤵
              PID:2740
          • C:\Windows\SysWOW64\attrib.exe
            attrib C:\Windows +s +h
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:2468
    • C:\MSOCache\jusched.exe
      C:\MSOCache\jusched.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:2488

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\FtpBackup.config
            Filesize

            591B

            MD5

            1bae7e838ce56ed78a4b5ac91969db36

            SHA1

            d1a952bd113116f42a22b6f9354edb34614ba003

            SHA256

            c513f527efe93c896ddc0a577ab1542b77a4e8b6317fffbff61ae2a9a80fa3de

            SHA512

            93c4c461060e13bace63db6d69408e974be3c9b11c1cdfacdda88c37e571d13b12a69605b901ae0dbfce397ebdbc64a52a8470319918f111bc64c7f13d6e7896

            Download Submit

          • C:\MSOCache\start.bat
            Filesize

            136B

            MD5

            02e6ddbc715dfd7ce1838c4b4b0520c8

            SHA1

            beffad085107db83d28a1bf0cdd91ecafc8ba8c0

            SHA256

            0311acfa1282599748d62918af38533250f0a39d0ac46ed9982c98d279e5c237

            SHA512

            18730254e6289c75e682b11293e2095397d6d478993a6c08793cadc775c7ace0c6e281e031ddfcbc58047417b1cec35984f9788f2096bf81b92b812a25da3c5a

            Download Submit

          • C:\MSOCache\test.vbs
            Filesize

            126B

            MD5

            f00621f0dc0f7f7469367cc2a2562bef

            SHA1

            78b65e1f8dafcfc262e309a2fc4e422bf3b15802

            SHA256

            4c647088801454129c69674aa05916789dfb516163a22529722da226d835a48b

            SHA512

            932c2fce2a5f7312fdbe748bf0fc55672fe4622bd2626793eae0e74bccc7fc4bcae268c38fa86a3d74abcf46e93b5356c0a5d6c76c361118aeab3532149e4f99

            Download Submit

          • \MSOCache\jusched.exe
            Filesize

            377KB

            MD5

            c4130bcfbec35b377b512ceb64221293

            SHA1

            b05a8c3a48c5cc2fda027064f58c314f4dca03c2

            SHA256

            df2edc9c52a0e5cde0222f6cbbbf39433ce02ce3653aaff58418b6d04141fd03

            SHA512

            ff6234432127b33edb096440aac918fc69577e52536b26d43f30528853f02233ae653f8d8946fabd5f3f08eb3ba59004501f569f6ab0679f1cdb3683ed0d94f6

            Download Submit