8973a3e4e15578324207b900fb18fed2dfde1a0bbd2812342c7f8afaf55f9895

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BadCopy-v4.10b1215/BadCopy Pro 4.10 Build 1215.exe
Size

869KB
MD5

652324a9189c505fa05b9ae822ddf096
SHA1

eb6100f0842a6096614331d99ba36fd9964138c9
SHA256

6bca31e8849861f2999850e55e2b37ff4d49945694d2a08dfc1e1c33e62bef58
SHA512

e95f2fa7bf6caed002904985a14d94b536578d355c0c4c2c61f64e9a7338ba0d2ddd642f5c574c95ae9d8256fc8d4df4e846ce4de28c0439f8610d4dfb1420b0
SSDEEP

12288:n1Bv/ny2kuJSsSkkY5CFq0lHoPYpk13HEBj9PW8wTbZ/zHmjhWy30VTfUsee25lL:/ny2BSeZY3o3HepPWBb9HahJTsy5d

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3664	GLBA6DF.tmp

Loads dropped DLL 3 IoCs

pid	Process
3664	GLBA6DF.tmp
3664	GLBA6DF.tmp
3664	GLBA6DF.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLBA6DF.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadCopy Pro 4.10 Build 1215.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLBA6DF.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 3664	3876	BadCopy Pro 4.10 Build 1215.exe	86
PID 3876 wrote to memory of 3664	3876	BadCopy Pro 4.10 Build 1215.exe	86
PID 3876 wrote to memory of 3664	3876	BadCopy Pro 4.10 Build 1215.exe	86

C:\Users\Admin\AppData\Local\Temp\BadCopy-v4.10b1215\BadCopy Pro 4.10 Build 1215.exe
"C:\Users\Admin\AppData\Local\Temp\BadCopy-v4.10b1215\BadCopy Pro 4.10 Build 1215.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\GLBA6DF.tmp
  C:\Users\Admin\AppData\Local\Temp\GLBA6DF.tmp 4736 C:\Users\Admin\AppData\Local\Temp\BADCOP~1.10B\BADCOP~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLBA6DF.tmp

Filesize
70KB

MD5
b587faf0337ef0a5b8dd5869711904df

SHA1
5827a10b8b3fb25a7e69595918bdc8fdf495e4ce

SHA256
7532fb59f9ca7af45781f013497eea2ca32043d7fd8a4cbb78d9df7539327f6f

SHA512
c5f30530ca7289b7d5c7096a4abe6bb7f39979bbf757918a1d68b1e2ae975cf343de00a8484e81499443d77f4e92a7cd46491f55df25b7bcb54dc260b51947b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLCA7B9.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLKA7DA.tmp

Filesize
30KB

MD5
3df61e5730883b2d338addd7acbe4bc4

SHA1
03166e6230231e7e3583cf9c8944f4967aa1bf1b

SHA256
2efe9a54c8eb878711d9b6cd18f276838645aff52fe69d8a864376cb258ec616

SHA512
36e9d705d22dad3d952b4da578a990f2b63ec2f9fbf2734efdaea9ecbd4f07a8d7232792eb5bdd81c553354d51334993cb6103c377f3483a680eac9e41cd2087

Download Submit