bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
Size

1.6MB
MD5

6859839bca334b519de5bf66776171cb
SHA1

2d1428485997bb5e9f89735fe57ba8e83bde1df8
SHA256

bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d
SHA512

0a0c94371dc237dc2ff025ff72e91dd5e48aa440c5936c4798ed99c0dbcce08f784a71661c269bdffdc898fd89e25866be47a66e91c213ba5b743292aa865e3c
SSDEEP

24576:x1wQ2xJz6Mn2qMeqm3m+mBa+EGgwZc5W7qTBNiT8L+X+phmgJ7i:Lw1Jz6efR3m+MEGgSCBNiT86XKhmI

Score

7^/10

upx vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2760	obs-browser-page.exe
2168	obs-browser-page.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2760-28-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral1/memory/2760-39-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral1/memory/2760-32-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral1/memory/2760-31-0x0000000180000000-0x0000000180066000-memory.dmp	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000700000001934d-14.dat	vmprotect
behavioral1/memory/2760-24-0x000007FEF7660000-0x000007FEF7739000-memory.dmp	vmprotect
behavioral1/memory/2760-25-0x000007FEF7660000-0x000007FEF7739000-memory.dmp	vmprotect
behavioral1/memory/2760-51-0x000007FEF7660000-0x000007FEF7739000-memory.dmp	vmprotect
behavioral1/memory/2168-57-0x000007FEF77F0000-0x000007FEF78C9000-memory.dmp	vmprotect
behavioral1/memory/2168-58-0x000007FEF77F0000-0x000007FEF78C9000-memory.dmp	vmprotect
behavioral1/memory/2168-75-0x000007FEF77F0000-0x000007FEF78C9000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 2908	2760	obs-browser-page.exe	35
PID 832 set thread context of 2288	832	svchost.exe	38
PID 2288 set thread context of 2924	2288	svchost.exe	39

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
3056	bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
2760	obs-browser-page.exe
2908	svchost.exe
2908	svchost.exe
2168	obs-browser-page.exe
832	svchost.exe
832	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2924	dllhost.exe
2924	dllhost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	svchost.exe
Token: SeTcbPrivilege	2908	svchost.exe
Token: SeAuditPrivilege	832	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2908	2760	obs-browser-page.exe	35
PID 2760 wrote to memory of 2908	2760	obs-browser-page.exe	35
PID 2760 wrote to memory of 2908	2760	obs-browser-page.exe	35
PID 2760 wrote to memory of 2908	2760	obs-browser-page.exe	35
PID 2760 wrote to memory of 2908	2760	obs-browser-page.exe	35
PID 2760 wrote to memory of 2908	2760	obs-browser-page.exe	35
PID 2188 wrote to memory of 2168	2188	taskeng.exe	37
PID 2188 wrote to memory of 2168	2188	taskeng.exe	37
PID 2188 wrote to memory of 2168	2188	taskeng.exe	37
PID 2168 wrote to memory of 832	2168	obs-browser-page.exe	13
PID 2168 wrote to memory of 832	2168	obs-browser-page.exe	13
PID 2168 wrote to memory of 832	2168	obs-browser-page.exe	13
PID 832 wrote to memory of 2288	832	svchost.exe	38
PID 832 wrote to memory of 2288	832	svchost.exe	38
PID 832 wrote to memory of 2288	832	svchost.exe	38
PID 832 wrote to memory of 2288	832	svchost.exe	38
PID 832 wrote to memory of 2288	832	svchost.exe	38
PID 832 wrote to memory of 2288	832	svchost.exe	38
PID 2288 wrote to memory of 2924	2288	svchost.exe	39
PID 2288 wrote to memory of 2924	2288	svchost.exe	39
PID 2288 wrote to memory of 2924	2288	svchost.exe	39
PID 2288 wrote to memory of 2924	2288	svchost.exe	39
PID 2288 wrote to memory of 2924	2288	svchost.exe	39
PID 2288 wrote to memory of 2924	2288	svchost.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\taskeng.exe
  taskeng.exe {4FFF4EE4-4F95-46FD-89CD-33B656C77016} S-1-5-18:NT AUTHORITY\System:Service:
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\system32\WinDefScan\obs-browser-page.exe
    C:\Windows\system32\WinDefScan\obs-browser-page.exe -svc
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2168
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2924

C:\Users\Admin\AppData\Local\Temp\bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
"C:\Users\Admin\AppData\Local\Temp\bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Windows\system32\cmd.exe
cmd /c copy C:\Windows\temp\259458772 C:\obs-browser-page.exe
1⤵
PID:2768

C:\Windows\system32\cmd.exe
cmd /c copy C:\Windows\temp\259458881 C:\libcef.dll
1⤵
PID:2828

C:\Windows\system32\cmd.exe
cmd /c copy C:\Windows\temp\259458990 C:\libcef.dat
1⤵
PID:2680

C:\obs-browser-page.exe
C:\obs-browser-page.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -Install
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\259458772

Filesize
514KB

MD5
c89b9fb97d02ac079a45725b3dfb54d4

SHA1
773d823a3304dad9a9e39e2227fba116370f4af7

SHA256
ec605cc14c60e30682e84ec87d19034f7bd1399025ca11fbf3c4adeed85fadf0

SHA512
495381374990c8613f4d97efb30f561e4b4d3a54794e93ea373695df70556e70ac7883f77dc2c7cee2a681d71f07a90b092e1394bc15f8329eda9923bb5dfb5e

Download Submit
C:\Windows\temp\259458881

Filesize
579KB

MD5
e40e24cbe6cface80087910c49344ab9

SHA1
60e4fff4073030d0fa7eadf5ce718e4272545043

SHA256
1be1771b0c93e1a4c7c97e95dc18aad5842c9046bd75f4794f2439ffd07545b6

SHA512
0ef03f1d6a226d5fb1ca026fefb50c04ef510f8fdec2743b5490ee55905bb318f47efd1d8b53614ec907c6b60150fe23d840bd62519abcfb81f94895c74e5763

Download Submit
C:\Windows\temp\259458990

Filesize
190KB

MD5
85ed07c782f6eef1c9ee20bdf1b48dfd

SHA1
d47758ab5d1d832703ed95e366b2662865457808

SHA256
04750a2e16673314deb356d2c0209356eff1711c7eb3e69f764528a4ab742318

SHA512
fb36eb0d903d63fed04029675eee8cb0c41946e72ee4272ccf127801bb36d72a909997909856f385afacbc42c4cfe745f9597f0e1b92496943dfb58c45a0824f

Download Submit
memory/832-71-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2168-57-0x000007FEF77F0000-0x000007FEF78C9000-memory.dmp

Filesize
868KB

Download
memory/2168-75-0x000007FEF77F0000-0x000007FEF78C9000-memory.dmp

Filesize
868KB

Download
memory/2168-65-0x0000000077360000-0x0000000077509000-memory.dmp

Filesize
1.7MB

Download
memory/2168-58-0x000007FEF77F0000-0x000007FEF78C9000-memory.dmp

Filesize
868KB

Download
memory/2760-51-0x000007FEF7660000-0x000007FEF7739000-memory.dmp

Filesize
868KB

Download
memory/2760-40-0x0000000077361000-0x0000000077462000-memory.dmp

Filesize
1.0MB

Download
memory/2760-39-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-24-0x000007FEF7660000-0x000007FEF7739000-memory.dmp

Filesize
868KB

Download
memory/2760-25-0x000007FEF7660000-0x000007FEF7739000-memory.dmp

Filesize
868KB

Download
memory/2760-33-0x0000000077360000-0x0000000077509000-memory.dmp

Filesize
1.7MB

Download
memory/2760-32-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-31-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-28-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2908-48-0x0000000077360000-0x0000000077509000-memory.dmp

Filesize
1.7MB

Download
memory/2908-46-0x0000000077360000-0x0000000077509000-memory.dmp

Filesize
1.7MB

Download
memory/2908-55-0x0000000077360000-0x0000000077509000-memory.dmp

Filesize
1.7MB

Download
memory/2908-37-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2908-47-0x0000000077360000-0x0000000077509000-memory.dmp

Filesize
1.7MB

Download
memory/2908-34-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/2908-35-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3056-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000180000000-0x0000000180036000-memory.dmp

Filesize
216KB

Download