3e8d98d5d75618970deccaeeae5e39123263ff22db1ae594b08dd4109828c7d1

Resubmissions

21-08-2024 01:30

240821-bw3pdsxcnq 10

21-08-2024 01:25

240821-bs432sxbjp 10

Analysis

max time kernel
36s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc/12.exe
Size

2.1MB
MD5

4b9aec7822904baba250259c724b622c
SHA1

17dc4905dc0af0ebd9ba1c436281330ba1f5843c
SHA256

b08cb69299eea6942c44b9513a0dc817da919c7a4223a9d5db3937eb4191dbf1
SHA512

e4b9e503bad1b98fd075cd1e85d5e610ba5214abdbac0c93b0037eaec95af43d1a2948769d119be1afc3a46ff906518f17ce15697038ba42ea6d1b11b09d6c20
SSDEEP

24576:2TbBv5rUyXVSSgqY99xioaCEwQ90O+mWkGz5Fd11P5bVdYpj1YuUmeFOsHTmZzh8:IBJS5EHWkSNHKt1jZefTiwxqFumQ7H8g

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exebridgeChainAgentComponent.exe12.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	bridgeChainAgentComponent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	12.exe

Executes dropped EXE 2 IoCs

Processes:

bridgeChainAgentComponent.exefontdrvhost.exe

pid process

2428 bridgeChainAgentComponent.exe
4968 fontdrvhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

bridgeChainAgentComponent.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\e6c9b481da804f	bridgeChainAgentComponent.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe	bridgeChainAgentComponent.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94	bridgeChainAgentComponent.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe	bridgeChainAgentComponent.exe

Drops file in Windows directory 3 IoCs

Processes:

bridgeChainAgentComponent.exe

description	ioc	process
File created	C:\Windows\tracing\winlogon.exe	bridgeChainAgentComponent.exe
File opened for modification	C:\Windows\tracing\winlogon.exe	bridgeChainAgentComponent.exe
File created	C:\Windows\tracing\cc11b995f2a76d	bridgeChainAgentComponent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

12.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

4572 PING.EXE

pid	process
4572	PING.EXE

Modifies registry class 2 IoCs

Processes:

12.exebridgeChainAgentComponent.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	12.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	bridgeChainAgentComponent.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4572 PING.EXE

pid	process
4572	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bridgeChainAgentComponent.exe

pid	process
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe
2428	bridgeChainAgentComponent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bridgeChainAgentComponent.exefontdrvhost.exe

description pid process

Token: SeDebugPrivilege 2428 bridgeChainAgentComponent.exe
Token: SeDebugPrivilege 4968 fontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	2428	bridgeChainAgentComponent.exe
Token: SeDebugPrivilege	4968	fontdrvhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

12.exeWScript.execmd.exebridgeChainAgentComponent.execmd.exe

description	pid	process	target process
PID 2888 wrote to memory of 348	2888	12.exe	WScript.exe
PID 2888 wrote to memory of 348	2888	12.exe	WScript.exe
PID 2888 wrote to memory of 348	2888	12.exe	WScript.exe
PID 348 wrote to memory of 4588	348	WScript.exe	cmd.exe
PID 348 wrote to memory of 4588	348	WScript.exe	cmd.exe
PID 348 wrote to memory of 4588	348	WScript.exe	cmd.exe
PID 4588 wrote to memory of 2428	4588	cmd.exe	bridgeChainAgentComponent.exe
PID 4588 wrote to memory of 2428	4588	cmd.exe	bridgeChainAgentComponent.exe
PID 2428 wrote to memory of 1764	2428	bridgeChainAgentComponent.exe	cmd.exe
PID 2428 wrote to memory of 1764	2428	bridgeChainAgentComponent.exe	cmd.exe
PID 1764 wrote to memory of 3520	1764	cmd.exe	chcp.com
PID 1764 wrote to memory of 3520	1764	cmd.exe	chcp.com
PID 1764 wrote to memory of 4572	1764	cmd.exe	PING.EXE
PID 1764 wrote to memory of 4572	1764	cmd.exe	PING.EXE
PID 1764 wrote to memory of 4968	1764	cmd.exe	fontdrvhost.exe
PID 1764 wrote to memory of 4968	1764	cmd.exe	fontdrvhost.exe

C:\Users\Admin\AppData\Local\Temp\dc\12.exe
"C:\Users\Admin\AppData\Local\Temp\dc\12.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ComponentfontdriverSavesmonitor\qqP01RKne28XsXFhTZTGlviAXadD7kZqYE1O95500h17VpDj4fm1.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ComponentfontdriverSavesmonitor\KRvsjnsBPaEIrVsxblV83WmWwpIsIF13L2EEiXHiELKTiR7R9O.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\ComponentfontdriverSavesmonitor\bridgeChainAgentComponent.exe
      "C:\ComponentfontdriverSavesmonitor/bridgeChainAgentComponent.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lihVJZyq2L.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3520
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4572
      - C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentfontdriverSavesmonitor\KRvsjnsBPaEIrVsxblV83WmWwpIsIF13L2EEiXHiELKTiR7R9O.bat

Filesize
110B

MD5
04a4d2cd4ef7d5d4e3c70695ddcf963e

SHA1
7b9aedcf6c8b45d26a4021e9adf3d14fb9d323d5

SHA256
4793a5e63c6cdc48f1c7083645cbacf6923ca7cb070f1e6d8c51f3263c902b4b

SHA512
33fcbc37593b0651d0c3ce3880a62569fecbcc0cd8547139ce112d48c344f93f7cc880f15f84bc806af17a45acfff21e13d83d011504cf15adfd319ae0515983

Download Submit
C:\ComponentfontdriverSavesmonitor\bridgeChainAgentComponent.exe

Filesize
1.8MB

MD5
e6e8dc58732852fb2185b3a48960d126

SHA1
bbdacff433565f63f2fa0f7e164825b986bbd459

SHA256
d4d84769150f9ccd6d96e9f83a1defe8821032f11b57106f1d4174b70cc9dec7

SHA512
d00a0fe82c7fa74ee4f6fce5fbc2ee5a7da8fbc3ac5f940cec3cb059779b30bbb3612f3c4319ccfc2ca3d59d6a730d9faede90e3d3152a3e273f1cef6cfeb009

Download Submit
C:\ComponentfontdriverSavesmonitor\qqP01RKne28XsXFhTZTGlviAXadD7kZqYE1O95500h17VpDj4fm1.vbe

Filesize
260B

MD5
52c16b2e4ab850a72fafa08464c0af51

SHA1
cdfb3eab4d1778fdc2c3d3d6ea35113edadfb80e

SHA256
28c611943a3da21e7f30b90a0b18634aabceeace4e3249c879d64daf2180f1cc

SHA512
b2757d0577b0e91d6480d752ab905f8231546566441034f242d340f73d3a576a9767679ab6ed33d9d428fda5388e244ab49f8eac20c5b4bf9b899922b9b42d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\lihVJZyq2L.bat

Filesize
190B

MD5
ce1e6994b5032b3283b435afbd0de6dd

SHA1
9bef28cd4564661376c56587b8f6bf6c1b5118a4

SHA256
2316fa666809057488eaa091409c2a049c3d9ec688c3c24bb175fc337be98555

SHA512
d70f756e6a3fb6f36cc7556db0bc2070844a9a7bea050367ff6e738c09de4bc56d17ca06867feddbb404a7085d0fdfe99cc7cdafa3bb983923cad7781c331d9b

Download Submit
memory/2428-12-0x00007FFDA1343000-0x00007FFDA1345000-memory.dmp

Filesize
8KB

Download
memory/2428-13-0x00000000006C0000-0x000000000089A000-memory.dmp

Filesize
1.9MB

Download
memory/2428-15-0x00000000011D0000-0x00000000011DE000-memory.dmp

Filesize
56KB

Download
memory/2428-17-0x000000001B5E0000-0x000000001B5FC000-memory.dmp

Filesize
112KB

Download
memory/2428-18-0x000000001B650000-0x000000001B6A0000-memory.dmp

Filesize
320KB

Download
memory/2428-20-0x000000001B600000-0x000000001B618000-memory.dmp

Filesize
96KB

Download
memory/2428-22-0x00000000011E0000-0x00000000011EC000-memory.dmp

Filesize
48KB

Download