Overview
overview
10Static
static
10dc/10.exe
windows10-2004-x64
10dc/12.exe
windows10-2004-x64
7dc/13.exe
windows10-2004-x64
10dc/15.exe
windows10-2004-x64
8dc/16.exe
windows10-2004-x64
10dc/17.exe
windows10-2004-x64
3dc/19.exe
windows10-2004-x64
10dc/22.exe
windows10-2004-x64
10dc/23.exe
windows10-2004-x64
10dc/3.exe
windows10-2004-x64
10dc/4.exe
windows10-2004-x64
3dc/5.exe
windows10-2004-x64
10dc/6.exe
windows10-2004-x64
10dc/7.exe
windows10-2004-x64
9dc/9.exe
windows10-2004-x64
10Analysis
-
max time kernel
36s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 01:25
Behavioral task
behavioral1
Sample
dc/10.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
dc/12.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
dc/13.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
dc/15.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
dc/16.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
dc/17.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
dc/19.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
dc/22.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
dc/23.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
dc/3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
dc/4.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
dc/5.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
dc/6.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
dc/7.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
dc/9.exe
Resource
win10v2004-20240802-en
General
-
Target
dc/12.exe
-
Size
2.1MB
-
MD5
4b9aec7822904baba250259c724b622c
-
SHA1
17dc4905dc0af0ebd9ba1c436281330ba1f5843c
-
SHA256
b08cb69299eea6942c44b9513a0dc817da919c7a4223a9d5db3937eb4191dbf1
-
SHA512
e4b9e503bad1b98fd075cd1e85d5e610ba5214abdbac0c93b0037eaec95af43d1a2948769d119be1afc3a46ff906518f17ce15697038ba42ea6d1b11b09d6c20
-
SSDEEP
24576:2TbBv5rUyXVSSgqY99xioaCEwQ90O+mWkGz5Fd11P5bVdYpj1YuUmeFOsHTmZzh8:IBJS5EHWkSNHKt1jZefTiwxqFumQ7H8g
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation bridgeChainAgentComponent.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 12.exe -
Executes dropped EXE 2 IoCs
pid Process 2428 bridgeChainAgentComponent.exe 4968 fontdrvhost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\ja-JP\e6c9b481da804f bridgeChainAgentComponent.exe File created C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe bridgeChainAgentComponent.exe File created C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94 bridgeChainAgentComponent.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe bridgeChainAgentComponent.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\tracing\winlogon.exe bridgeChainAgentComponent.exe File opened for modification C:\Windows\tracing\winlogon.exe bridgeChainAgentComponent.exe File created C:\Windows\tracing\cc11b995f2a76d bridgeChainAgentComponent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4572 PING.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings 12.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings bridgeChainAgentComponent.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4572 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe 2428 bridgeChainAgentComponent.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2428 bridgeChainAgentComponent.exe Token: SeDebugPrivilege 4968 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2888 wrote to memory of 348 2888 12.exe 86 PID 2888 wrote to memory of 348 2888 12.exe 86 PID 2888 wrote to memory of 348 2888 12.exe 86 PID 348 wrote to memory of 4588 348 WScript.exe 94 PID 348 wrote to memory of 4588 348 WScript.exe 94 PID 348 wrote to memory of 4588 348 WScript.exe 94 PID 4588 wrote to memory of 2428 4588 cmd.exe 96 PID 4588 wrote to memory of 2428 4588 cmd.exe 96 PID 2428 wrote to memory of 1764 2428 bridgeChainAgentComponent.exe 97 PID 2428 wrote to memory of 1764 2428 bridgeChainAgentComponent.exe 97 PID 1764 wrote to memory of 3520 1764 cmd.exe 99 PID 1764 wrote to memory of 3520 1764 cmd.exe 99 PID 1764 wrote to memory of 4572 1764 cmd.exe 100 PID 1764 wrote to memory of 4572 1764 cmd.exe 100 PID 1764 wrote to memory of 4968 1764 cmd.exe 103 PID 1764 wrote to memory of 4968 1764 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc\12.exe"C:\Users\Admin\AppData\Local\Temp\dc\12.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComponentfontdriverSavesmonitor\qqP01RKne28XsXFhTZTGlviAXadD7kZqYE1O95500h17VpDj4fm1.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComponentfontdriverSavesmonitor\KRvsjnsBPaEIrVsxblV83WmWwpIsIF13L2EEiXHiELKTiR7R9O.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\ComponentfontdriverSavesmonitor\bridgeChainAgentComponent.exe"C:\ComponentfontdriverSavesmonitor/bridgeChainAgentComponent.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lihVJZyq2L.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4572
-
-
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110B
MD504a4d2cd4ef7d5d4e3c70695ddcf963e
SHA17b9aedcf6c8b45d26a4021e9adf3d14fb9d323d5
SHA2564793a5e63c6cdc48f1c7083645cbacf6923ca7cb070f1e6d8c51f3263c902b4b
SHA51233fcbc37593b0651d0c3ce3880a62569fecbcc0cd8547139ce112d48c344f93f7cc880f15f84bc806af17a45acfff21e13d83d011504cf15adfd319ae0515983
-
Filesize
1.8MB
MD5e6e8dc58732852fb2185b3a48960d126
SHA1bbdacff433565f63f2fa0f7e164825b986bbd459
SHA256d4d84769150f9ccd6d96e9f83a1defe8821032f11b57106f1d4174b70cc9dec7
SHA512d00a0fe82c7fa74ee4f6fce5fbc2ee5a7da8fbc3ac5f940cec3cb059779b30bbb3612f3c4319ccfc2ca3d59d6a730d9faede90e3d3152a3e273f1cef6cfeb009
-
Filesize
260B
MD552c16b2e4ab850a72fafa08464c0af51
SHA1cdfb3eab4d1778fdc2c3d3d6ea35113edadfb80e
SHA25628c611943a3da21e7f30b90a0b18634aabceeace4e3249c879d64daf2180f1cc
SHA512b2757d0577b0e91d6480d752ab905f8231546566441034f242d340f73d3a576a9767679ab6ed33d9d428fda5388e244ab49f8eac20c5b4bf9b899922b9b42d06
-
Filesize
190B
MD5ce1e6994b5032b3283b435afbd0de6dd
SHA19bef28cd4564661376c56587b8f6bf6c1b5118a4
SHA2562316fa666809057488eaa091409c2a049c3d9ec688c3c24bb175fc337be98555
SHA512d70f756e6a3fb6f36cc7556db0bc2070844a9a7bea050367ff6e738c09de4bc56d17ca06867feddbb404a7085d0fdfe99cc7cdafa3bb983923cad7781c331d9b