9ebfb7e3c1394ea3aec0641497db4af4643369243aec0a6703b7fa3a773dea3b

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/uninstall.bat
Size

33B
MD5

b80a7b6f60117a9ccfc099c705598a88
SHA1

3ff7aa18e3fa74790f4abe417469c6d9f3d47487
SHA256

fa2f0953d67c07b1c4afb16ac079a44fbd8b15f4fa56552404eb60b4643dbcc7
SHA512

37131677f74f4b4b1ce8a591c71a656eb9a5ae0f0a8e3a984f53e162395a0d9d986472a3dcefb031a281b4c09af219def6072ff60dd4e921559f0bf00914edcc

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bomgar_Cleanup_ZD25944151825106 = "cmd.exe /C rd /S /Q \"C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\" & reg delete HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Bomgar_Cleanup_ZD25944151825106 /f"	apple-scc.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2932	apple-scc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2932	apple-scc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2932	2076	cmd.exe	31
PID 2076 wrote to memory of 2932	2076	cmd.exe	31
PID 2076 wrote to memory of 2932	2076	cmd.exe	31
PID 2076 wrote to memory of 2932	2076	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\apple-scc.exe
  apple-scc.exe -uninstall silent
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\settings.ini

Filesize
26B

MD5
93b1fbb3c4c8be07a6815fecce322a86

SHA1
420aa61aaad08ef2a76a419302061ef9961044db

SHA256
ae55e9cb6678facb36459c835a67579e23080ed1d78bb19d4a6ca1e67c4d7cb0

SHA512
50d7e8a925a2f5b9ba9bd409a7e1c4861d833f245685e814da19f585ed67f2982d627b18a69b338e1ae4827a8b204b8c7811641653457717f36d317f9f11a8a9

Download Submit
memory/2932-0-0x0000000001130000-0x0000000001405000-memory.dmp

Filesize
2.8MB

Download
memory/2932-1-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2932-29-0x0000000001130000-0x0000000001405000-memory.dmp

Filesize
2.8MB

Download