Overview

overview

7

Static

static

3

bce94981e9...81.exe

windows7-x64

7

bce94981e9...81.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe

  • Size

    4.0MB

  • MD5

    55a2312d6062e5bac6c5f62a0ee42fa2

  • SHA1

    2271954571874366b20b329f202735959361a01c

  • SHA256

    bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481

  • SHA512

    f9ec8f21b68dcec5e9c8916e87a1395a84efbcac8aae67b0c8c171391ac301ea330d47fa352fdcf60db78a979e9e6c380a6ae9a526772878b5a46fc16d0c2ced

  • SSDEEP

    98304:ylxy6buzFyyqatrjLQsf10YsOR+iI5XEcP8e:cxmR4atrYsNdx3I5Xse

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe
    "C:\Users\Admin\AppData\Local\Temp\bce94981e91d899f670e4aa9b06e51f1bbff4960751481b373c119c8373ed481.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProviderWebSavesNet\KzpapvVcbVWl7x3kYPCfes0ojKXptfYw4GAjwTs.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\ProviderWebSavesNet\4m3MAufDe8UYuW2ydRhKZQEREfiJBHvyHq5AIcSjywzlT6BxOyJV1br81hHR.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\ProviderWebSavesNet\hostcrt.exe
          "C:\ProviderWebSavesNet/hostcrt.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OhkmqXoi0I.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1596
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2848
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2224
              • C:\ProviderWebSavesNet\csrss.exe
                "C:\ProviderWebSavesNet\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProviderWebSavesNet\4m3MAufDe8UYuW2ydRhKZQEREfiJBHvyHq5AIcSjywzlT6BxOyJV1br81hHR.bat
      Filesize

      82B

      MD5

      22b3050e40cced02d2a2149a4ff4c740

      SHA1

      bbf5353903fecf327fefed64ea5682aa62ae6d3b

      SHA256

      279a77eff83aead5bc84ae074b51e9d31b582822e581ad09b96901c52c8fad5c

      SHA512

      3d2ca66d370e10bc13dbcc84145cc11bd524853ffc9e493be7ac26a0dcfb7253dd76def55ca3de2b4c493be412287f49da9aa074cd3cc13c072e2d7f0ddac59c

      Download Submit

    • C:\ProviderWebSavesNet\KzpapvVcbVWl7x3kYPCfes0ojKXptfYw4GAjwTs.vbe
      Filesize

      257B

      MD5

      2da89fb4c9e3dbdb93495a409f2c4174

      SHA1

      d22186a88e8ebe609dad2ec8f0bb39df314114c7

      SHA256

      4e65e9df887312cfbf2cafc4a309eca1dc4204f2f87b9a6ed20d37eb94f15c9a

      SHA512

      5aa9f1d004c92c4b6ff7428cc24aaaeb5f04e668657904dd123dd1ca129c6b81c37d5efa7aa746aec52db56417da8038001ebf229ef5e2e61e12423b3b45b6b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\OhkmqXoi0I.bat
      Filesize

      160B

      MD5

      bbea3a1f4983b8bbc28df140ad226986

      SHA1

      ef53e23e168ff2f996e6b83422607d8a377415b2

      SHA256

      7724698fe00ec5bd10fa71136628afe9de09de08b921bfc5ff77db7120e95af6

      SHA512

      dd1cde3612902e63807936ae4aa19feeed1b41355c5330138522a54599a5c030baffa5aa1aeb5173db1879b2f9dfaa928d559b4b861d7d6073f0f7166c6ac4bf

      Download Submit

    • \ProviderWebSavesNet\hostcrt.exe
      Filesize

      3.7MB

      MD5

      88340879f7b502b0eee8f6147cdc70eb

      SHA1

      1510660a130fdcb57e2dcad37c16cf1a966126d8

      SHA256

      bcefedada15b81b6470d80824651dac64d52a568b459b6c1ade8d0dcddcf2f05

      SHA512

      d3518eb922315743bf16624e256a6bcc4b930723786cf34ccb40afb901c2ede1a19c0acdb21ee4c5bbda6541a2b229c16a8ad66e861230e46634f30b8d3db3ed

      Download Submit

    • memory/2788-85-0x0000000000170000-0x000000000052A000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2816-39-0x0000000002270000-0x0000000002280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-43-0x0000000002370000-0x0000000002382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2816-21-0x00000000008F0000-0x0000000000900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-23-0x0000000002210000-0x0000000002228000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2816-25-0x0000000000930000-0x0000000000940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-27-0x0000000000940000-0x0000000000950000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-29-0x0000000002230000-0x000000000223E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2816-31-0x0000000002240000-0x000000000224C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2816-33-0x0000000002250000-0x000000000225E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2816-35-0x0000000002280000-0x0000000002292000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2816-37-0x0000000002260000-0x000000000226C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2816-17-0x00000000008E0000-0x00000000008EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2816-41-0x0000000002350000-0x0000000002366000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2816-19-0x00000000021F0000-0x000000000220C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2816-45-0x00000000022A0000-0x00000000022AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2816-47-0x00000000022B0000-0x00000000022BC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2816-49-0x00000000022C0000-0x00000000022CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2816-51-0x0000000002390000-0x00000000023A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-53-0x00000000023A0000-0x00000000023B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-55-0x000000001AA50000-0x000000001AAAA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/2816-57-0x00000000023B0000-0x00000000023BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2816-59-0x00000000023C0000-0x00000000023D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2816-61-0x0000000002560000-0x000000000256E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2816-63-0x0000000002590000-0x00000000025A8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2816-65-0x0000000002570000-0x000000000257C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2816-67-0x000000001AF10000-0x000000001AF5E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2816-15-0x0000000000900000-0x0000000000926000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2816-13-0x00000000003B0000-0x000000000076A000-memory.dmp

      Filesize

      3.7MB

      Download