afaf9770608b7ba29f183586c580fc8093a2efdd68febff71122ac41cedae49d

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B3RAP Leecher v0.5/B3RAP Leecher.exe
Size

7.6MB
MD5

daf410cc495219fe8ac9a02712ad3684
SHA1

e8105b282d9c6f5ec146a138fa899675441419b8
SHA256

51e36fe50f5cc439b8a275571b303fab85d4beb430abefb578a6ca5226c17601
SHA512

1ea3f87e39cbbbf125602294fb9fd4b713bfb5b16ade2f503a4be84f6d8c123830edb626b02e6a7d1a344dd46134cb240c6c70fd7a5ab129e3d1b507a8ba8773
SSDEEP

196608:CLwIMmXE6d1CPwDv3uFgsLsv13uFnCPwPnhwn59OIl/3igTlBCKgx:CpTXE6d1CPwDv3uF1Lsv13uFnCPwfhw8

Score

8^/10

discovery macro persistence

Malware Config

Signatures

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0005000000019586-95.dat
behavioral1/files/0x0007000000019586-117.dat

Executes dropped EXE 3 IoCs

pid	Process
2104	._cache_B3RAP Leecher.exe
2996	Synaptics.exe
2800	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2980	B3RAP Leecher.exe
2980	B3RAP Leecher.exe
2980	B3RAP Leecher.exe
2996	Synaptics.exe
2996	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	B3RAP Leecher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B3RAP Leecher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000012256-4.dat	nsis_installer_2
behavioral1/files/0x0004000000019542-13.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2648	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2104	2980	B3RAP Leecher.exe	29
PID 2980 wrote to memory of 2104	2980	B3RAP Leecher.exe	29
PID 2980 wrote to memory of 2104	2980	B3RAP Leecher.exe	29
PID 2980 wrote to memory of 2104	2980	B3RAP Leecher.exe	29
PID 2980 wrote to memory of 2996	2980	B3RAP Leecher.exe	30
PID 2980 wrote to memory of 2996	2980	B3RAP Leecher.exe	30
PID 2980 wrote to memory of 2996	2980	B3RAP Leecher.exe	30
PID 2980 wrote to memory of 2996	2980	B3RAP Leecher.exe	30
PID 2996 wrote to memory of 2800	2996	Synaptics.exe	31
PID 2996 wrote to memory of 2800	2996	Synaptics.exe	31
PID 2996 wrote to memory of 2800	2996	Synaptics.exe	31
PID 2996 wrote to memory of 2800	2996	Synaptics.exe	31

C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\B3RAP Leecher.exe
"C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\B3RAP Leecher.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe
  "C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2800

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.6MB

MD5
daf410cc495219fe8ac9a02712ad3684

SHA1
e8105b282d9c6f5ec146a138fa899675441419b8

SHA256
51e36fe50f5cc439b8a275571b303fab85d4beb430abefb578a6ca5226c17601

SHA512
1ea3f87e39cbbbf125602294fb9fd4b713bfb5b16ade2f503a4be84f6d8c123830edb626b02e6a7d1a344dd46134cb240c6c70fd7a5ab129e3d1b507a8ba8773

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ijc8tPIo.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ijc8tPIo.xlsm

Filesize
21KB

MD5
b9b0e13adf779fa987a39e3b243cdf1c

SHA1
eb7f3df65554fc7485f583e12fb9146cbfc6bd13

SHA256
d9dae7cda3841184102beb0078bbe6701de42f56ef6abb1dfa4d43f00ba0b375

SHA512
72ff6e2f4d8e931f2724fddda4443a048bf2c78718237e47d6cf3e89d213d0cdf4917665c054b16321d95e7e93f4bea4d3eb786a98498d1d5beb5caa676b00ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ijc8tPIo.xlsm

Filesize
23KB

MD5
4a1fc19f34120a7d2ec6e28a42fdb440

SHA1
9a77c936fea570245512c3b0d5755877860224f3

SHA256
40c8152c6aa366a0258d87941a373adf9b5f5b47e6079fbec259d6430d558194

SHA512
20cc685a723a519a339f6fd7775fb6794bcd229b9c03a642c117ba183d838950358e714eca0cddc7a94ded2dda421b0e8c2c63b83084daf455753c180e14f20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ijc8tPIo.xlsm

Filesize
25KB

MD5
54151dd763cf15d0a0c66890f4088bea

SHA1
7e3fae4401060a52e6d3c57f056adeb1ecde9040

SHA256
08170abbd25ecdada3f9d4f51247a9194871746f4a2cb29a91e6104d9001c7d7

SHA512
c9388031f6c94fefe09a14eb2ac16e24fdca62a2277b2867f6f3c55bb74ae6739c964177463398b9dde731fed513680035bb67b22d921568f7bb559699f409cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ijc8tPIo.xlsm

Filesize
27KB

MD5
f0225837a4cbb9109c550d7c87bfff83

SHA1
ff5700715a22676088ae3a3e354186c327df7573

SHA256
1a945caae2f06337c5cf93e823eb8b177d2aa68deac2c7f2eba9f247eca22c71

SHA512
a8c133d5b0cc2ae45bd33676fcb04339b74b074b49fea38dc326919f9fb5e42939832d191676bfe5c5529f3948e19836a05a3dc7441e7d31957f08414ca86b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$Ijc8tPIo.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe

Filesize
6.9MB

MD5
3fc65e1223ff9644d654895c800f7731

SHA1
d59740ec285022203c5b4051a79b380cdb91f593

SHA256
faa86186f89ef29b9507a623a96d066011b8963b0ae6830dd421d1b8c689d90d

SHA512
83e9f5a52c85650d1f6e65f83d73b23ec495e2eaaf66013541c3a7e14b6b762d473e7e5fa87c16071610443e42c9718c0800afc0af2a75f9cef020896f99d6cb

Download Submit
memory/2104-24-0x0000000000D10000-0x00000000013F6000-memory.dmp

Filesize
6.9MB

Download
memory/2648-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2648-123-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2800-36-0x0000000000CE0000-0x00000000013C6000-memory.dmp

Filesize
6.9MB

Download
memory/2980-26-0x0000000000400000-0x0000000000BA3000-memory.dmp

Filesize
7.6MB

Download
memory/2980-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2996-124-0x0000000000400000-0x0000000000BA3000-memory.dmp

Filesize
7.6MB

Download
memory/2996-125-0x0000000000400000-0x0000000000BA3000-memory.dmp

Filesize
7.6MB

Download
memory/2996-157-0x0000000000400000-0x0000000000BA3000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads