686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca

General

Target

686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe
Size

1.9MB
MD5

79d7dd4400288279ece780e707a911ac
SHA1

40a0ac3d2ff4534ca9282ea1684dec6ab60779e9
SHA256

686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca
SHA512

c7eb3c5fbbe576645caeba85be887d3bc267445188561e70401e88f791c355184fb218fd38b3d4b2019d57ab0e1fc8a5ab9a362ab6b94ca1fe8136427ef5078a
SSDEEP

24576:2TbBv5rUyXVcVJZE3O6g58ZPND7ugL+m8GTmm3MYG+rnmq9LRosKjkPSrKu0v1wR:IBJcmOGug7VTcT4mCRocSNdR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2636	BridgeBlockContainerRuntime.exe
2464	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	cmd.exe
2528	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\c5b4cb5e9653cc	BridgeBlockContainerRuntime.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\services.exe	BridgeBlockContainerRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2984	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2984	PING.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2636	BridgeBlockContainerRuntime.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe
2464	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2464	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	BridgeBlockContainerRuntime.exe
Token: SeDebugPrivilege	2464	spoolsv.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2760	3040	686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe	30
PID 3040 wrote to memory of 2760	3040	686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe	30
PID 3040 wrote to memory of 2760	3040	686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe	30
PID 3040 wrote to memory of 2760	3040	686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe	30
PID 2760 wrote to memory of 2528	2760	WScript.exe	31
PID 2760 wrote to memory of 2528	2760	WScript.exe	31
PID 2760 wrote to memory of 2528	2760	WScript.exe	31
PID 2760 wrote to memory of 2528	2760	WScript.exe	31
PID 2528 wrote to memory of 2636	2528	cmd.exe	33
PID 2528 wrote to memory of 2636	2528	cmd.exe	33
PID 2528 wrote to memory of 2636	2528	cmd.exe	33
PID 2528 wrote to memory of 2636	2528	cmd.exe	33
PID 2636 wrote to memory of 3016	2636	BridgeBlockContainerRuntime.exe	34
PID 2636 wrote to memory of 3016	2636	BridgeBlockContainerRuntime.exe	34
PID 2636 wrote to memory of 3016	2636	BridgeBlockContainerRuntime.exe	34
PID 3016 wrote to memory of 2964	3016	cmd.exe	36
PID 3016 wrote to memory of 2964	3016	cmd.exe	36
PID 3016 wrote to memory of 2964	3016	cmd.exe	36
PID 3016 wrote to memory of 2984	3016	cmd.exe	37
PID 3016 wrote to memory of 2984	3016	cmd.exe	37
PID 3016 wrote to memory of 2984	3016	cmd.exe	37
PID 3016 wrote to memory of 2464	3016	cmd.exe	38
PID 3016 wrote to memory of 2464	3016	cmd.exe	38
PID 3016 wrote to memory of 2464	3016	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe
"C:\Users\Admin\AppData\Local\Temp\686f76c2a283db1cfdc79ed605c41c2ca1913f5d4f515643fc939395f80490ca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\componentbrokernet\8TuIVkBC8udAUaP0Rc2MpVeb7zFdLU6vNcbxXlVW8.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\componentbrokernet\mL3g.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\componentbrokernet\BridgeBlockContainerRuntime.exe
      "C:\componentbrokernet/BridgeBlockContainerRuntime.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LU7icOVmaG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2964
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2984
      - C:\componentbrokernet\spoolsv.exe
        
        "C:\componentbrokernet\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LU7icOVmaG.bat

Filesize
161B

MD5
ecd847e5e614131f00558edc07fd8d37

SHA1
88f7e3a1a2ea3f24fe24100622db99e58446eb4b

SHA256
a8a78bd7f0cc3fa78e663134fbb8a7cd6e055bdcd41638e3e63061ac4692d084

SHA512
5e1a1a6061c907c8f2c4aa41c39814ff976a95ec193721298dbf2771d8fad8c9c2fd7d6eb3961c20ccf06c2a2d062fae2741549ae9ba8329341fabf0746abff6

Download Submit
C:\componentbrokernet\8TuIVkBC8udAUaP0Rc2MpVeb7zFdLU6vNcbxXlVW8.vbe

Filesize
200B

MD5
25df5f3232c0133e1faaf48085b264d7

SHA1
03560488b8aa802ae3665b9bf9ca4436f1065933

SHA256
4c9439f92cc3953f454c8bc58271edc9cadeda8610952c9e67f786c192bda5d9

SHA512
ac2102fe76c14db3eca1044d8d38bc7722b1e59731dd88b6c23fde3458db54d0eb3e76ad42e267d0953e4fd8938887fa1de84fa9f00c6ad4df3fc4b7fb1543ba

Download Submit
C:\componentbrokernet\BridgeBlockContainerRuntime.exe

Filesize
1.6MB

MD5
0c240a7d7bc13d6d2891cb5214a2d006

SHA1
5ba479c284ca1df322ca13cb760320a2378e3c65

SHA256
5b0082b78172c0ea4274c777a3d5b94e568523e79d2fc897d122a0474f6dd52d

SHA512
81bf288c882abf9480c033494c79b62e5ab856f11e9284ab4e4f1f98b094ad0a3cc5fe2be70578591e04932df855d15f6d2bbb2562592800be7926669e8e87ee

Download Submit
C:\componentbrokernet\mL3g.bat

Filesize
104B

MD5
619e812e9a3821ada2f1158d6524323c

SHA1
9b0c8ef31e5ab144718e1400773120e32353e098

SHA256
68d4338917dd4dd49ecf9d6171aef03f49ffa9c4320f46cc01a3208f2ba5377e

SHA512
ccd05ecd1598ed7bbb85a28c9594f5d0521dd0d792c9f6ad17a87fd9192c07afdf8c212ac7ab180e149ebfbb19fc51d48753a097c1acf1385ee131e4bfdfa783

Download Submit
memory/2464-34-0x0000000000030000-0x00000000001CA000-memory.dmp

Filesize
1.6MB

Download
memory/2636-13-0x00000000008F0000-0x0000000000A8A000-memory.dmp

Filesize
1.6MB

Download
memory/2636-15-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads