Overview

overview

8

Static

static

3

bf2db65e6e...af.exe

windows7-x64

8

bf2db65e6e...af.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 04:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bf2db65e6efe2e2f0020ac57f62ace1ad3381b1987e9852cc1ebd000cd2edcaf.exe

  • Size

    3.7MB

  • MD5

    e64f2843d6482a2a929b0467b708032c

  • SHA1

    c58dcf7267325d6d129e80fa991217bb4aa2cfd5

  • SHA256

    bf2db65e6efe2e2f0020ac57f62ace1ad3381b1987e9852cc1ebd000cd2edcaf

  • SHA512

    ed1c4b6a80e16c489022a57f03436737df120faefeabeb9acb1cd24a3cc8c185bc78fd26d7db74d0151dbfefb13f68e3d75d69c6ee11d61e30687707af9a8593

  • SSDEEP

    98304:k4wc3evzvh7phFW/Qwk8khbNqk9mgHdk6K1bD1:PwcipFW/Qw7ob0gH6F/1

Score
8/10
defense_evasiondiscoveryevasion

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf2db65e6efe2e2f0020ac57f62ace1ad3381b1987e9852cc1ebd000cd2edcaf.exe
    "C:\Users\Admin\AppData\Local\Temp\bf2db65e6efe2e2f0020ac57f62ace1ad3381b1987e9852cc1ebd000cd2edcaf.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\scchost.exe
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:2500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BF2DB6~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2348
  • C:\Windows\Debug\scchost.exe
    C:\Windows\Debug\scchost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    PID:2056

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Debug\scchost.exe
          Filesize

          3.7MB

          MD5

          f0b0ad0a8e566076344e5de4d525e2bc

          SHA1

          bd41f85ad8362a7d38e698debe99ce36833efda7

          SHA256

          0028cef7019e9b8ec02b39dbb8870bf6589b09ea0211a8915325591eaebee6d0

          SHA512

          00f2e3719e44802a3b17024317f1e06fb2d8cec642d61c958bcd3ebe563b9838b7f945c10d6fb8d38ce2d511ca9e0368c2c3f87dbdfec10cc5b9792c19bd6e87

          Download Submit