afaf9770608b7ba29f183586c580fc8093a2efdd68febff71122ac41cedae49d

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B3RAP Leecher v0.5/B3RAP Leecher.exe
Size

7.6MB
MD5

daf410cc495219fe8ac9a02712ad3684
SHA1

e8105b282d9c6f5ec146a138fa899675441419b8
SHA256

51e36fe50f5cc439b8a275571b303fab85d4beb430abefb578a6ca5226c17601
SHA512

1ea3f87e39cbbbf125602294fb9fd4b713bfb5b16ade2f503a4be84f6d8c123830edb626b02e6a7d1a344dd46134cb240c6c70fd7a5ab129e3d1b507a8ba8773
SSDEEP

196608:CLwIMmXE6d1CPwDv3uFgsLsv13uFnCPwPnhwn59OIl/3igTlBCKgx:CpTXE6d1CPwDv3uF1Lsv13uFnCPwfhw8

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	B3RAP Leecher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
832	._cache_B3RAP Leecher.exe
2828	Synaptics.exe
2912	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	B3RAP Leecher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B3RAP Leecher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00080000000234d1-5.dat	nsis_installer_2
behavioral2/files/0x00070000000234fd-67.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	B3RAP Leecher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2948	EXCEL.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE
2948	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 832	3920	B3RAP Leecher.exe	82
PID 3920 wrote to memory of 832	3920	B3RAP Leecher.exe	82
PID 3920 wrote to memory of 2828	3920	B3RAP Leecher.exe	83
PID 3920 wrote to memory of 2828	3920	B3RAP Leecher.exe	83
PID 3920 wrote to memory of 2828	3920	B3RAP Leecher.exe	83
PID 2828 wrote to memory of 2912	2828	Synaptics.exe	84
PID 2828 wrote to memory of 2912	2828	Synaptics.exe	84

C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\B3RAP Leecher.exe
"C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\B3RAP Leecher.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe
  "C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe"
  2⤵
  - Executes dropped EXE
  PID:832
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2912

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.6MB

MD5
daf410cc495219fe8ac9a02712ad3684

SHA1
e8105b282d9c6f5ec146a138fa899675441419b8

SHA256
51e36fe50f5cc439b8a275571b303fab85d4beb430abefb578a6ca5226c17601

SHA512
1ea3f87e39cbbbf125602294fb9fd4b713bfb5b16ade2f503a4be84f6d8c123830edb626b02e6a7d1a344dd46134cb240c6c70fd7a5ab129e3d1b507a8ba8773

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F285E00

Filesize
25KB

MD5
1bfe871193b1501e2187fd3996250ca7

SHA1
fab3c269d0fb7947cd19c0da8b59b6bdb156b71a

SHA256
416dd47f399be2ecb50b19d819d1c171d48e1c114bf7e00a5177badbf058397e

SHA512
c1ce51b6ddd1e21d0ef86f9ef2f0f66c5587557a21fdeb96f99031d5796db818ce2eb038e97dee65361ae6167a69f6cbaf436977649aa414ce983908c21c2590

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3RAP Leecher v0.5\._cache_B3RAP Leecher.exe

Filesize
6.9MB

MD5
3fc65e1223ff9644d654895c800f7731

SHA1
d59740ec285022203c5b4051a79b380cdb91f593

SHA256
faa86186f89ef29b9507a623a96d066011b8963b0ae6830dd421d1b8c689d90d

SHA512
83e9f5a52c85650d1f6e65f83d73b23ec495e2eaaf66013541c3a7e14b6b762d473e7e5fa87c16071610443e42c9718c0800afc0af2a75f9cef020896f99d6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OtGtPqC5.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/832-65-0x00007FFC0AB03000-0x00007FFC0AB05000-memory.dmp

Filesize
8KB

Download
memory/832-119-0x000002855E860000-0x000002855EF46000-memory.dmp

Filesize
6.9MB

Download
memory/832-128-0x00007FFC0AB00000-0x00007FFC0B5C1000-memory.dmp

Filesize
10.8MB

Download
memory/832-202-0x00007FFC0AB03000-0x00007FFC0AB05000-memory.dmp

Filesize
8KB

Download
memory/832-204-0x00007FFC0AB00000-0x00007FFC0B5C1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-289-0x0000000000400000-0x0000000000BA3000-memory.dmp

Filesize
7.6MB

Download
memory/2828-203-0x0000000000400000-0x0000000000BA3000-memory.dmp

Filesize
7.6MB

Download
memory/2828-258-0x0000000000400000-0x0000000000BA3000-memory.dmp

Filesize
7.6MB

Download
memory/2948-210-0x00007FFBE6570000-0x00007FFBE6580000-memory.dmp

Filesize
64KB

Download
memory/2948-208-0x00007FFBE8ED0000-0x00007FFBE8EE0000-memory.dmp

Filesize
64KB

Download
memory/2948-209-0x00007FFBE8ED0000-0x00007FFBE8EE0000-memory.dmp

Filesize
64KB

Download
memory/2948-211-0x00007FFBE6570000-0x00007FFBE6580000-memory.dmp

Filesize
64KB

Download
memory/2948-206-0x00007FFBE8ED0000-0x00007FFBE8EE0000-memory.dmp

Filesize
64KB

Download
memory/2948-207-0x00007FFBE8ED0000-0x00007FFBE8EE0000-memory.dmp

Filesize
64KB

Download
memory/2948-205-0x00007FFBE8ED0000-0x00007FFBE8EE0000-memory.dmp

Filesize
64KB

Download
memory/3920-0-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/3920-129-0x0000000000400000-0x0000000000BA3000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads