ad478484952b20e9ab61126a008ca4051b71b3ef240038357a931405da27fb81

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 18:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BMage.exe
Size

3.7MB
MD5

dceedde3db57ec8e146a1cf3baa3d155
SHA1

3a70b0bda10ae4c033fb6a89028802debff11358
SHA256

d4955ed9b5413bbf9d21251e1341c4217b1d94ebaf40a14a2853409eddde3df3
SHA512

76b8371bab7ab54f7d4a4422de9a5c6a165963aaaa5b95cc4a3fdd294995734556556bcca3660a221fa2f63480d705673b1472f75aa69a5210fdb3073645759c
SSDEEP

49152:xu/HzblKUM6RPZrjmogGFZ0kRwvlanXJ7Ob1o2jHgICK:xuLkUM6RPlNg85RwvlanXNK

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	BMage.exe

Executes dropped EXE 2 IoCs

pid	Process
3972	BMage.exe
4728	common.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Windows\\Wincft.exe"	common.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Live Show\setup\sefokol.ami	BMage.exe
File created	C:\Program Files\Windows Live Show\setup\BMage.exe	BMage.exe
File created	C:\Program Files\Windows Live Show\setup\sefokol.ami	BMage.exe
File created	C:\Program Files\Windows Live Show\setup\common.exe	BMage.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Wincft.exe	common.exe
File created	C:\Windows\Wincft.exe	common.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1828	2124	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BMage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BMage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	common.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3972	2124	BMage.exe	92
PID 2124 wrote to memory of 3972	2124	BMage.exe	92
PID 2124 wrote to memory of 3972	2124	BMage.exe	92
PID 2124 wrote to memory of 4728	2124	BMage.exe	93
PID 2124 wrote to memory of 4728	2124	BMage.exe	93
PID 2124 wrote to memory of 4728	2124	BMage.exe	93

C:\Users\Admin\AppData\Local\Temp\BMage.exe
"C:\Users\Admin\AppData\Local\Temp\BMage.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Program Files\Windows Live Show\setup\BMage.exe
  "C:\Program Files\Windows Live Show\setup\BMage.exe" NULL
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3972
- C:\Program Files\Windows Live Show\setup\common.exe
  "C:\Program Files\Windows Live Show\setup\common.exe" NULL
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1308
  2⤵
  - Program crash
  PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2124 -ip 2124
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Live Show\setup\BMage.exe

Filesize
1.8MB

MD5
213f26caaad222eaad7c0c877d0469b7

SHA1
2b38738ced6734efa5303228aa1cb2f4c82a7835

SHA256
67e0c4f723ef4eb5041626c7b578443346d31a5a2bb0c3f635a4518d4ddfefa4

SHA512
928f58c254ce61ba66d971a43ffaa5eceb47e10d438a4d9cbe42d7c30e555c3d9b0494bb7e9438756363b6336c98648eb70f93be878ac8087834ddf4644e8492

Download Submit
C:\Program Files\Windows Live Show\setup\common.exe

Filesize
592KB

MD5
6b6b3f2bc99d8b7442b14b02c0385e4c

SHA1
eba56d8a2ec70fcc3001738a23a6b459f5e3a223

SHA256
ae4e9736ea2ff5a36d744a9e131dcb283d012499030b2273b381f27c5c6f97b0

SHA512
ce780e1212d3f603409afbc298c74da7cb19e4f9f03ff1ba0b7e69b8632bbb1d3369c0907c5c5a769607bab2aec992ea45784ef92e24233cc0b537840cc1e32b

Download Submit
memory/3972-8-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3972-24-0x0000000000400000-0x0000000000E8F000-memory.dmp

Filesize
10.6MB

Download
memory/4728-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads