Analysis
-
max time kernel
104s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 08:03
Static task
static1
Behavioral task
behavioral1
Sample
bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe
Resource
win7-20240903-en
General
-
Target
bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe
-
Size
3.9MB
-
MD5
5adb2a353e5d54d267e084de41f63310
-
SHA1
59b62e1159bdc14a58eecff61d4045b634a51374
-
SHA256
bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805c
-
SHA512
453b5c61247a0d01d0bf3108532691a6534611460a4ca6483d73e2391b17d1491e342e0f6544b566de526cf6226de6838a133f9788bef3b034b66f89807e71a6
-
SSDEEP
98304:wxhtYrUqNd6Px5RrtcZmZYZT/UHZxUSa1xJKA:wJEUqNd6Px5RRcsYZT/yv7A
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3804 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe -
Executes dropped EXE 1 IoCs
pid Process 716 SeedPhrase Converter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SeedPhrase Converter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4616 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4060 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 716 SeedPhrase Converter.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3804 powershell.exe 3804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe Token: SeDebugPrivilege 3804 powershell.exe Token: SeDebugPrivilege 716 SeedPhrase Converter.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2480 wrote to memory of 3804 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 87 PID 2480 wrote to memory of 3804 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 87 PID 2480 wrote to memory of 3804 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 87 PID 2480 wrote to memory of 4060 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 88 PID 2480 wrote to memory of 4060 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 88 PID 2480 wrote to memory of 4060 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 88 PID 2480 wrote to memory of 716 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 91 PID 2480 wrote to memory of 716 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 91 PID 2480 wrote to memory of 716 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 91 PID 2480 wrote to memory of 640 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 92 PID 2480 wrote to memory of 640 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 92 PID 2480 wrote to memory of 640 2480 bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe 92 PID 640 wrote to memory of 4616 640 cmd.exe 94 PID 640 wrote to memory of 4616 640 cmd.exe 94 PID 640 wrote to memory of 4616 640 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4060
-
-
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB3BF.tmp.cmd""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\timeout.exetimeout 63⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5d30c0f766318fae8aebf63ea2c781351
SHA1e93d198f9ea29a7a83ae42736c2b2b3b4a939987
SHA25650d88e12e7dec5d3d688916f20c8815f93cc238a2103c07b55670202972b58b7
SHA512f4f3d2343a04d17185703add668150b9956b5ea455eb1887f1334926e7891fbb1cfe642d776d1259ebc14dc29c9479b98e1d1f38620e2d0727af4a356d27d3b5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
217B
MD52b4b589e7e4c636c67e5df7041f90cc2
SHA14312a8e3fb59e904a887d7844f5cf91633535618
SHA256cbcff3132cb480a630614fa5df31a1686b45f8a516b0d7dadb3ed52495dfc985
SHA51265c1572d3bdd37192191be82f3fba352f04e376e4f136bd0bf9ecf3dad95f986152ca89d80c40f157612f9208b8bcec5a22c58ff4692016a6a02e1b0df4dbca8