Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 08:03
Static task
static1
Behavioral task
behavioral1
Sample
bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe
Resource
win7-20240903-en
General
-
Target
bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe
-
Size
3.9MB
-
MD5
5adb2a353e5d54d267e084de41f63310
-
SHA1
59b62e1159bdc14a58eecff61d4045b634a51374
-
SHA256
bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805c
-
SHA512
453b5c61247a0d01d0bf3108532691a6534611460a4ca6483d73e2391b17d1491e342e0f6544b566de526cf6226de6838a133f9788bef3b034b66f89807e71a6
-
SSDEEP
98304:wxhtYrUqNd6Px5RrtcZmZYZT/UHZxUSa1xJKA:wJEUqNd6Px5RRcsYZT/yv7A
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2444 powershell.exe -
Deletes itself 1 IoCs
pid Process 2704 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe -
Executes dropped EXE 1 IoCs
pid Process 2120 SeedPhrase Converter.exe -
Loads dropped DLL 1 IoCs
pid Process 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SeedPhrase Converter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 584 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2312 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2120 SeedPhrase Converter.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2444 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2120 SeedPhrase Converter.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1172 wrote to memory of 2444 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 31 PID 1172 wrote to memory of 2444 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 31 PID 1172 wrote to memory of 2444 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 31 PID 1172 wrote to memory of 2444 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 31 PID 1172 wrote to memory of 2312 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 33 PID 1172 wrote to memory of 2312 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 33 PID 1172 wrote to memory of 2312 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 33 PID 1172 wrote to memory of 2312 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 33 PID 1172 wrote to memory of 2120 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 35 PID 1172 wrote to memory of 2120 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 35 PID 1172 wrote to memory of 2120 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 35 PID 1172 wrote to memory of 2120 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 35 PID 1172 wrote to memory of 2704 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 36 PID 1172 wrote to memory of 2704 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 36 PID 1172 wrote to memory of 2704 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 36 PID 1172 wrote to memory of 2704 1172 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 36 PID 2704 wrote to memory of 584 2704 cmd.exe 38 PID 2704 wrote to memory of 584 2704 cmd.exe 38 PID 2704 wrote to memory of 584 2704 cmd.exe 38 PID 2704 wrote to memory of 584 2704 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE521.tmp.cmd""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217B
MD5355450f64b69493338cfc79cad554162
SHA1197c627abcbadcd20133b437add62ffd88da47a4
SHA2566ddfe8b43fea8bcbfdd513ea6a8d55fefbcbd970099f8d0961fe86fc53a82ee9
SHA51278914ea39527f417a6f37394d9986e49179394c30b00055e3c5b2ee744f8cd20a9a47a69682ffecb3a7c5c147282da1edbcc8dd4374e8114b40c7341a0ce6283
-
Filesize
4.5MB
MD5c485280211a901d16a69cc710b5eccb9
SHA1e4681be1835ede1c0a5a21f4dbc730cc1f16db2b
SHA25634710e86eef4ad9742ca7f6cfc5a000991be3c573bfa1a00074c012bf2e9f301
SHA512de936feb2d14b97bf3061dc9ec4f0966af87bef10b2181df4460320331400a22b666c1230dfbe364e4a06994bae4a33c3e198b0bae58a34757fa5aae7b256d56