Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe
Resource
win7-20240903-en
General
-
Target
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe
-
Size
9.2MB
-
MD5
d511554c3e89879625547bfe436cbf80
-
SHA1
df37505e4f1bc919432b5a80c1f5d32484438ce8
-
SHA256
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8
-
SHA512
360b811f826e6d695d7f1659503b33db92b8c43001f05666b2820c587a95f62e079c0ddb3b23d0159767a29835da6386c882e5383a88629fe562d251df9bdcd9
-
SSDEEP
196608:lQKdvgDDwRB/rYSExCaWeQx12c00AL3MBEre9s4mEqaB2R5oBPLm8eiveeeI/:JVSDwRZYSExCaxk2rgR9saZk5CPSivem
Malware Config
Extracted
cryptbot
forcj4vs.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 1780 takeown.exe 2452 icacls.exe 1436 takeown.exe 1996 icacls.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Setup.exe -
Executes dropped EXE 4 IoCs
Processes:
PDloewpjkG.exeWindowsLoader.exeSetup.exebootsect.exepid Process 2968 PDloewpjkG.exe 2244 WindowsLoader.exe 2712 Setup.exe 1372 bootsect.exe -
Loads dropped DLL 8 IoCs
Processes:
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exeWindowsLoader.exepid Process 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 2244 WindowsLoader.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 1780 takeown.exe 2452 icacls.exe 1436 takeown.exe 1996 icacls.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
WindowsLoader.exepid Process 2244 WindowsLoader.exe 2244 WindowsLoader.exe -
Processes:
resource yara_rule behavioral1/files/0x0006000000018b6e-49.dat upx behavioral1/memory/2244-51-0x00000000180A0000-0x00000000182C3000-memory.dmp upx behavioral1/memory/2712-55-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/2712-124-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/2712-142-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exeWindowsLoader.execompact.execmd.execmd.exeicacls.execmd.exebootsect.exetakeown.execmd.exeicacls.exetakeown.execmd.exePDloewpjkG.exeSetup.execmd.execmd.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsLoader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language compact.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bootsect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PDloewpjkG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Setup.exedescription ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WindowsLoader.exeSetup.exepid Process 2244 WindowsLoader.exe 2712 Setup.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Setup.exetakeown.exetakeown.exedescription pid Process Token: 33 2712 Setup.exe Token: SeIncBasePriorityPrivilege 2712 Setup.exe Token: 33 2712 Setup.exe Token: SeIncBasePriorityPrivilege 2712 Setup.exe Token: SeTakeOwnershipPrivilege 1780 takeown.exe Token: SeTakeOwnershipPrivilege 1436 takeown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Setup.exepid Process 2712 Setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exeWindowsLoader.exeSetup.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 1452 wrote to memory of 2968 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 29 PID 1452 wrote to memory of 2968 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 29 PID 1452 wrote to memory of 2968 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 29 PID 1452 wrote to memory of 2968 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 29 PID 1452 wrote to memory of 2244 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 30 PID 1452 wrote to memory of 2244 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 30 PID 1452 wrote to memory of 2244 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 30 PID 1452 wrote to memory of 2244 1452 bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe 30 PID 2244 wrote to memory of 2712 2244 WindowsLoader.exe 31 PID 2244 wrote to memory of 2712 2244 WindowsLoader.exe 31 PID 2244 wrote to memory of 2712 2244 WindowsLoader.exe 31 PID 2244 wrote to memory of 2712 2244 WindowsLoader.exe 31 PID 2244 wrote to memory of 2712 2244 WindowsLoader.exe 31 PID 2244 wrote to memory of 2712 2244 WindowsLoader.exe 31 PID 2244 wrote to memory of 2712 2244 WindowsLoader.exe 31 PID 2712 wrote to memory of 1176 2712 Setup.exe 34 PID 2712 wrote to memory of 1176 2712 Setup.exe 34 PID 2712 wrote to memory of 1176 2712 Setup.exe 34 PID 2712 wrote to memory of 1176 2712 Setup.exe 34 PID 1176 wrote to memory of 2096 1176 cmd.exe 36 PID 1176 wrote to memory of 2096 1176 cmd.exe 36 PID 1176 wrote to memory of 2096 1176 cmd.exe 36 PID 1176 wrote to memory of 2096 1176 cmd.exe 36 PID 2096 wrote to memory of 1780 2096 cmd.exe 37 PID 2096 wrote to memory of 1780 2096 cmd.exe 37 PID 2096 wrote to memory of 1780 2096 cmd.exe 37 PID 2096 wrote to memory of 1780 2096 cmd.exe 37 PID 2712 wrote to memory of 2480 2712 Setup.exe 38 PID 2712 wrote to memory of 2480 2712 Setup.exe 38 PID 2712 wrote to memory of 2480 2712 Setup.exe 38 PID 2712 wrote to memory of 2480 2712 Setup.exe 38 PID 2480 wrote to memory of 2452 2480 cmd.exe 40 PID 2480 wrote to memory of 2452 2480 cmd.exe 40 PID 2480 wrote to memory of 2452 2480 cmd.exe 40 PID 2480 wrote to memory of 2452 2480 cmd.exe 40 PID 2712 wrote to memory of 2208 2712 Setup.exe 41 PID 2712 wrote to memory of 2208 2712 Setup.exe 41 PID 2712 wrote to memory of 2208 2712 Setup.exe 41 PID 2712 wrote to memory of 2208 2712 Setup.exe 41 PID 2208 wrote to memory of 960 2208 cmd.exe 43 PID 2208 wrote to memory of 960 2208 cmd.exe 43 PID 2208 wrote to memory of 960 2208 cmd.exe 43 PID 2208 wrote to memory of 960 2208 cmd.exe 43 PID 960 wrote to memory of 1436 960 cmd.exe 44 PID 960 wrote to memory of 1436 960 cmd.exe 44 PID 960 wrote to memory of 1436 960 cmd.exe 44 PID 960 wrote to memory of 1436 960 cmd.exe 44 PID 2712 wrote to memory of 2124 2712 Setup.exe 45 PID 2712 wrote to memory of 2124 2712 Setup.exe 45 PID 2712 wrote to memory of 2124 2712 Setup.exe 45 PID 2712 wrote to memory of 2124 2712 Setup.exe 45 PID 2124 wrote to memory of 1996 2124 cmd.exe 47 PID 2124 wrote to memory of 1996 2124 cmd.exe 47 PID 2124 wrote to memory of 1996 2124 cmd.exe 47 PID 2124 wrote to memory of 1996 2124 cmd.exe 47 PID 2712 wrote to memory of 2520 2712 Setup.exe 48 PID 2712 wrote to memory of 2520 2712 Setup.exe 48 PID 2712 wrote to memory of 2520 2712 Setup.exe 48 PID 2712 wrote to memory of 2520 2712 Setup.exe 48 PID 2520 wrote to memory of 2144 2520 cmd.exe 50 PID 2520 wrote to memory of 2144 2520 cmd.exe 50 PID 2520 wrote to memory of 2144 2520 cmd.exe 50 PID 2712 wrote to memory of 2320 2712 Setup.exe 51 PID 2712 wrote to memory of 2320 2712 Setup.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe"C:\Users\Admin\AppData\Local\Temp\bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\PDloewpjkG.exe"C:\Users\Admin\AppData\Local\Temp\PDloewpjkG.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe"C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1996
-
-
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""4⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"5⤵PID:2144
-
-
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"4⤵PID:2320
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR25⤵PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\MFNDZ"4⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\MFNDZ5⤵
- System Location Discovery: System Language Discovery
PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"4⤵
- System Location Discovery: System Language Discovery
PID:1184 -
C:\bootsect.exeC:\bootsect.exe /nt60 SYS /force5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
Filesize
95KB
MD51a6a3e90d931f7902ee475c8607a3f84
SHA131cd3a9f9e3168964595267bedf448cd21215e54
SHA256f3987092a7b67bfdb9d3679ae0894bae611fbabe51f5bb98d37589d10345cbed
SHA512c04188566f85d4df39f22ec578c658bd5572567004c2f9e6a67d5aeef3011d6b84ffc86c746cc3a32a91d722b7288ca3d869dfbc746a5cdf3d4c417f8fe8ad2d
-
Filesize
431KB
MD5eee8b35f215b21b278d68f4125ae9b79
SHA154ccb030eb908819e7bfc9e5d2cb39351ded0fe2
SHA2569d8bdec22f9447e9f898d2fc46b1680e27e5d9b1b2c7f8e4361c1a2fddfe6e66
SHA512a4a4384775b01d21ba264e5e691c563821687e263384a51d57a76228fbac95fe8163d487b8343c5f743ee0f7709b1684c97f12f3733225d640d3bd0f66ae4d11
-
Filesize
6.3MB
MD55d6a303668e616ff81485949f18515b3
SHA1fc7ca4ae06279a78d0e0fcbf7f3a874ff8230cfe
SHA256d48ac7a7f98179c41d161ab90c08fac46fac8680e10b6f8fa605d5b029839d01
SHA51249b86188cd9847afb9230cf59e1d29069b37bcaf178d50fb78d64dfe918ec523e140f1ee12f790d1daaa11c1e198f8744b3117683f7c91d637c91c6779a63fd3
-
Filesize
3.8MB
MD5323c0fd51071400b51eedb1be90a8188
SHA10efc35935957c25193bbe9a83ab6caa25a487ada
SHA2562f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA5124c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e