fd937f04296fc793ecbabfd7fd922e4eef22d6ecd960746a5365bd43ac7d30ea

Analysis

max time kernel
143s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ce43ba6d40a1f2af9121074154efc09.exe
Size

933KB
MD5

6ce43ba6d40a1f2af9121074154efc09
SHA1

74ef1e7cd2b830c0c6aab09504100a02f673e69e
SHA256

fd937f04296fc793ecbabfd7fd922e4eef22d6ecd960746a5365bd43ac7d30ea
SHA512

5ad5460442e12a3598bd9a810d74013791da6d95fd2a109f0f12f1218c744dd9d7d75af9f21009e0006284075146c26cb1fce8e5d113ecf3cef9baa21c2f464f
SSDEEP

24576:1LoNtxyC55K6hkpSMK9Dp5rby2wpxZ4E+DD:ZoNtkMLKwpFu2ExZ4EG

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
580	Copy of PDFReader.exe
1548	BFPD.exe

Loads dropped DLL 7 IoCs

pid	Process
2220	6ce43ba6d40a1f2af9121074154efc09.exe
580	Copy of PDFReader.exe
580	Copy of PDFReader.exe
580	Copy of PDFReader.exe
1548	BFPD.exe
1548	BFPD.exe
1548	BFPD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BFPD Agent = "C:\\Windows\\28463\\BFPD.exe"	BFPD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\28463\BFPD.009	BFPD.exe
File created	C:\Windows\28463\BFPD.001	Copy of PDFReader.exe
File created	C:\Windows\28463\BFPD.006	Copy of PDFReader.exe
File created	C:\Windows\28463\BFPD.007	Copy of PDFReader.exe
File created	C:\Windows\28463\BFPD.exe	Copy of PDFReader.exe
File opened for modification	C:\Windows\28463	BFPD.exe
File created	C:\Windows\28463\BFPD.009	BFPD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ce43ba6d40a1f2af9121074154efc09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Copy of PDFReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BFPD.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	2220	6ce43ba6d40a1f2af9121074154efc09.exe
Token: SeIncBasePriorityPrivilege	2220	6ce43ba6d40a1f2af9121074154efc09.exe
Token: 33	2220	6ce43ba6d40a1f2af9121074154efc09.exe
Token: SeIncBasePriorityPrivilege	2220	6ce43ba6d40a1f2af9121074154efc09.exe
Token: 33	2220	6ce43ba6d40a1f2af9121074154efc09.exe
Token: SeIncBasePriorityPrivilege	2220	6ce43ba6d40a1f2af9121074154efc09.exe
Token: 33	2220	6ce43ba6d40a1f2af9121074154efc09.exe
Token: SeIncBasePriorityPrivilege	2220	6ce43ba6d40a1f2af9121074154efc09.exe
Token: 33	580	Copy of PDFReader.exe
Token: SeIncBasePriorityPrivilege	580	Copy of PDFReader.exe
Token: 33	1548	BFPD.exe
Token: SeIncBasePriorityPrivilege	1548	BFPD.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1548	BFPD.exe
1548	BFPD.exe
1548	BFPD.exe
1548	BFPD.exe
1548	BFPD.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 580	2220	6ce43ba6d40a1f2af9121074154efc09.exe	30
PID 2220 wrote to memory of 580	2220	6ce43ba6d40a1f2af9121074154efc09.exe	30
PID 2220 wrote to memory of 580	2220	6ce43ba6d40a1f2af9121074154efc09.exe	30
PID 2220 wrote to memory of 580	2220	6ce43ba6d40a1f2af9121074154efc09.exe	30
PID 580 wrote to memory of 1548	580	Copy of PDFReader.exe	31
PID 580 wrote to memory of 1548	580	Copy of PDFReader.exe	31
PID 580 wrote to memory of 1548	580	Copy of PDFReader.exe	31
PID 580 wrote to memory of 1548	580	Copy of PDFReader.exe	31

C:\Users\Admin\AppData\Local\Temp\6ce43ba6d40a1f2af9121074154efc09.exe
"C:\Users\Admin\AppData\Local\Temp\6ce43ba6d40a1f2af9121074154efc09.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.04.20T13.47\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Copy of PDFReader.exe
  "C:\Users\Admin\AppData\Local\Temp\Copy of PDFReader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.04.20T13.47\Native\STUBEXE\@WINDIR@\28463\BFPD.exe
    "C:\Windows\28463\BFPD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\28463\BFPD.001

Filesize
392B

MD5
141d13aa130a4542f0deba33b2e3af80

SHA1
b6bc5ac9897c53cdcb15f6dd7c7b67b8700361ce

SHA256
03f3429fdac12b6a0f33a13779d04f5f8f67902e9ab748c476b0ab775381c78d

SHA512
96bc949634afe33556c7925e7a6262a4b1fa462076fabbe8f06351826b2ba92efbbeed57f4acaa3c957a6e359dbe81c9ba6014dd24f72609703539ae6d5ffe57

Download Submit
C:\Windows\28463\BFPD.006

Filesize
8KB

MD5
911a5a213762001178a48b2ceefa1880

SHA1
de9b25ac58e893397ab9ad3331bd922bbd5043ae

SHA256
273375c7be87b6da793320ee25ea08967bf8cb43e6213e4af94955e565afabc9

SHA512
cc4f95dc64085033a6f5308d61bce83991a8949ec89513fa0428527b6c20f40bc4ce0b323da3020f405f29bf3fcf703722082247f591568d39e8e355543f04c9

Download Submit
C:\Windows\28463\BFPD.007

Filesize
5KB

MD5
2183e6a435b000fc6e85b712513c3480

SHA1
c088b82494aaeca23a5acfaf83f55597bd0bdc6e

SHA256
9a1a58cea0b0cfe3479d29bb39b0a5af0ee75fbd94254529ad28f2e54aec30e5

SHA512
94ffbd46b10cf71ea59d3d44ceece691d7d50e8e111e330d44346f1e56e62d7a3b5c375917494fff89966d0ea5fc562d45b14b983269eba72b2831abce7a1afe

Download Submit
C:\Windows\28463\BFPD.exe

Filesize
602KB

MD5
8459b0ba642d016c60571a3ad31e6ec8

SHA1
19a7f23f7eee39ed4217ec44ef46b899eabc32c2

SHA256
e859bf35940f45fab38d28c824ae1eabc16adbc98ff09bf579f09765c0e88655

SHA512
812dca12499fd93627ef3a2a848f4a74be1009b2ebca29b5abe4218923338f5db753f573982dc7d8b4b4a3e0f8cf59748070394b2ae2f0f52c030ecc5c964e0d

Download Submit
\Users\Admin\AppData\Local\Temp\@1352.tmp

Filesize
4KB

MD5
b89311bdf4e6640cc9051e629476cbe4

SHA1
ced30235482232b045cd5d8004e8ead01b30f9ca

SHA256
db0e9d83d8a5309ae4ab4747ff6ce506a2f85b01a598caad697a69b3ddb557a1

SHA512
8e71c2238e23cd793feb061736d00f8aea0002f79e2632093529ed6242f9af2a99baa598d58c04bbc9c02715d7f18955ae88334e39caa2978e88904cf27911d4

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.04.20T13.47\Native\STUBEXE\@WINDIR@\28463\BFPD.exe

Filesize
17KB

MD5
caedbef14db713fe397c315411e3ca07

SHA1
721b0cd536549c24eb5050017f27220cdc1948e2

SHA256
d131f091cf506a26ac30368fbeb75fc03b883c0fb136f0809eaa7b141afc5864

SHA512
a77034166750b59e833a1be7f5378c4900d9509862611c30c72cf8f9d426c01d50c9419438a9cf8bc8888bd54319b58f88b15e7d4e25d8249692e6ed6708498d

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.04.20T13.47\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Copy of PDFReader.exe

Filesize
17KB

MD5
06e746bbd24495581a5cca7436fca56b

SHA1
66629b8c87f6eedcccf5f6376c08128950efa824

SHA256
0f18c4d5eac6035a96b8d39ee9044c02de760075712d418b4355bc0aa4894b3d

SHA512
d73ffa655b334c33e60e1b103cf310b9879e1c52143e375f9a121c6ec61adbb47f4c0dcc9f7991076188ee90920a9cc099d3fde32df71a8ffe6d7992439963da

Download Submit
memory/1548-942-0x00000000021F0000-0x00000000022DB000-memory.dmp

Filesize
940KB

Download
memory/1548-951-0x00000000021F0000-0x00000000022DB000-memory.dmp

Filesize
940KB

Download
memory/2220-66-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-57-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-15-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-13-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-11-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-9-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-7-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-5-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-3-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-1-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-0-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-72-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/2220-89-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-96-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-80-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-70-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-68-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-19-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-64-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-61-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-59-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-17-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-55-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-50-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-51-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-48-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/2220-46-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-44-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-42-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-37-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-35-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-33-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-32-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/2220-31-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-216-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-99-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/2220-98-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-205-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-943-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-21-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-23-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-25-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/2220-27-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads