bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe
Size

234KB
MD5

2f1845367c55755a9b8cd29bc2d54484
SHA1

b37ad1e474951fd584eed83310d398b5a92e2fee
SHA256

bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f
SHA512

b6a5b9dbb4a1e87a4afe156605e822fdc27ef8f1aaec644581d2c3040d48bae3bfa20d161a954368935929a176b26e21e9e6a0ad1d8509035c5b15747e1dbeb5
SSDEEP

6144:vepRmdqNNcFHcbtG/l3dps/V9fp++Ron/eHP3:vep+qNqHq6l3A3fjonGHP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2876	ctfmltMC.exe
2592	~E72.tmp
2060	cleasync.exe

Loads dropped DLL 3 IoCs

pid	Process
2208	bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe
2208	bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe
2876	ctfmltMC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\mcbueown = "C:\\Users\\Admin\\AppData\\Roaming\\cttufWrp\\ctfmltMC.exe"	bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cleasync.exe	bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	ctfmltMC.exe
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	ctfmltMC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2876	2208	bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe	28
PID 2208 wrote to memory of 2876	2208	bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe	28
PID 2208 wrote to memory of 2876	2208	bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe	28
PID 2208 wrote to memory of 2876	2208	bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe	28
PID 2876 wrote to memory of 2592	2876	ctfmltMC.exe	29
PID 2876 wrote to memory of 2592	2876	ctfmltMC.exe	29
PID 2876 wrote to memory of 2592	2876	ctfmltMC.exe	29
PID 2876 wrote to memory of 2592	2876	ctfmltMC.exe	29
PID 2592 wrote to memory of 1200	2592	~E72.tmp	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200
- C:\Users\Admin\AppData\Local\Temp\bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe
  "C:\Users\Admin\AppData\Local\Temp\bcfc3cb89cb8527c820bc29cf2d414f43b943f926f75319b99a9ad2e43547a4f.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Roaming\cttufWrp\ctfmltMC.exe
    "C:\Users\Admin\AppData\Roaming\cttufWrp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\~E72.tmp
      1200 239624 2876 1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2592

C:\Windows\SysWOW64\cleasync.exe
C:\Windows\SysWOW64\cleasync.exe -s
1⤵
- Executes dropped EXE
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~E72.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
\Users\Admin\AppData\Roaming\cttufWrp\ctfmltMC.exe

Filesize
234KB

MD5
29e67515d12055231d129006c159df70

SHA1
e0cc4e2988c7e5c6ae8a38de67cac26630add08d

SHA256
260c91cdc59cb7962b8de358c7a1f695347c7900ca0fc672001e16218d992c8f

SHA512
84e8a88917bc072b3e6069e08ee40a3f4029130fe68bd21c8a0a0273908a58c1cd875baa1c888e6ba6ceaf29b73f851509192122238c9d3472ea2600613386f0

Download Submit
memory/1200-23-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/1200-20-0x0000000002DD0000-0x0000000002E1A000-memory.dmp

Filesize
296KB

Download
memory/1200-24-0x0000000002E30000-0x0000000002E3D000-memory.dmp

Filesize
52KB

Download
memory/1200-21-0x0000000002DD0000-0x0000000002E1A000-memory.dmp

Filesize
296KB

Download
memory/1200-19-0x0000000002DD0000-0x0000000002E1A000-memory.dmp

Filesize
296KB

Download
memory/2060-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-30-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2208-5-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2208-1-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2208-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-15-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2876-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-27-0x0000000000310000-0x0000000000315000-memory.dmp

Filesize
20KB

Download