Analysis Overview
SHA256
bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805c
Threat Level: Likely malicious
The file bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Deletes itself
Drops startup file
Loads dropped DLL
Checks computer location settings
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 08:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 08:03
Reported
2024-11-03 08:05
Platform
win10v2004-20241007-en
Max time kernel
104s
Max time network
111s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk | C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe
"C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB3BF.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/2480-0-0x000000007474E000-0x000000007474F000-memory.dmp
memory/2480-1-0x0000000000C90000-0x0000000000CAC000-memory.dmp
memory/2480-2-0x0000000005CA0000-0x0000000006244000-memory.dmp
memory/2480-3-0x00000000056F0000-0x0000000005782000-memory.dmp
memory/3804-6-0x0000000005190000-0x00000000051C6000-memory.dmp
memory/3804-10-0x00000000058B0000-0x0000000005ED8000-memory.dmp
memory/3804-9-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/3804-12-0x0000000074740000-0x0000000074EF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
| MD5 | d30c0f766318fae8aebf63ea2c781351 |
| SHA1 | e93d198f9ea29a7a83ae42736c2b2b3b4a939987 |
| SHA256 | 50d88e12e7dec5d3d688916f20c8815f93cc238a2103c07b55670202972b58b7 |
| SHA512 | f4f3d2343a04d17185703add668150b9956b5ea455eb1887f1334926e7891fbb1cfe642d776d1259ebc14dc29c9479b98e1d1f38620e2d0727af4a356d27d3b5 |
memory/3804-20-0x0000000005880000-0x00000000058A2000-memory.dmp
memory/3804-25-0x0000000005F50000-0x0000000005FB6000-memory.dmp
memory/3804-26-0x00000000060F0000-0x0000000006156000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcknxofd.zmm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/716-37-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/3804-38-0x00000000062D0000-0x0000000006624000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB3BF.tmp.cmd
| MD5 | 2b4b589e7e4c636c67e5df7041f90cc2 |
| SHA1 | 4312a8e3fb59e904a887d7844f5cf91633535618 |
| SHA256 | cbcff3132cb480a630614fa5df31a1686b45f8a516b0d7dadb3ed52495dfc985 |
| SHA512 | 65c1572d3bdd37192191be82f3fba352f04e376e4f136bd0bf9ecf3dad95f986152ca89d80c40f157612f9208b8bcec5a22c58ff4692016a6a02e1b0df4dbca8 |
memory/3804-40-0x0000000006750000-0x000000000676E000-memory.dmp
memory/3804-41-0x0000000006790000-0x00000000067DC000-memory.dmp
memory/716-42-0x00000000064B0000-0x00000000064BA000-memory.dmp
memory/3804-43-0x0000000006D20000-0x0000000006D52000-memory.dmp
memory/3804-44-0x0000000072030000-0x000000007207C000-memory.dmp
memory/3804-54-0x0000000007720000-0x000000000773E000-memory.dmp
memory/3804-55-0x0000000007740000-0x00000000077E3000-memory.dmp
memory/3804-56-0x00000000080C0000-0x000000000873A000-memory.dmp
memory/3804-57-0x0000000007A80000-0x0000000007A9A000-memory.dmp
memory/3804-58-0x0000000007AF0000-0x0000000007AFA000-memory.dmp
memory/3804-59-0x0000000007D00000-0x0000000007D96000-memory.dmp
memory/3804-60-0x0000000007C80000-0x0000000007C91000-memory.dmp
memory/3804-61-0x0000000007CB0000-0x0000000007CBE000-memory.dmp
memory/3804-62-0x0000000007CC0000-0x0000000007CD4000-memory.dmp
memory/3804-63-0x0000000007DC0000-0x0000000007DDA000-memory.dmp
memory/3804-64-0x0000000007DA0000-0x0000000007DA8000-memory.dmp
memory/3804-67-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/716-68-0x0000000074740000-0x0000000074EF0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 08:03
Reported
2024-11-03 08:05
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk | C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe
"C:\Users\Admin\AppData\Local\Temp\bcf735aa4788ed01a8c0b2f3b71bdccfcfa1f7965d772c82197cc32fb8f7805cN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE521.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 6
Network
Files
memory/1172-0-0x000000007463E000-0x000000007463F000-memory.dmp
memory/1172-1-0x0000000000CD0000-0x0000000000CEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
| MD5 | c485280211a901d16a69cc710b5eccb9 |
| SHA1 | e4681be1835ede1c0a5a21f4dbc730cc1f16db2b |
| SHA256 | 34710e86eef4ad9742ca7f6cfc5a000991be3c573bfa1a00074c012bf2e9f301 |
| SHA512 | de936feb2d14b97bf3061dc9ec4f0966af87bef10b2181df4460320331400a22b666c1230dfbe364e4a06994bae4a33c3e198b0bae58a34757fa5aae7b256d56 |
memory/2120-10-0x0000000000B10000-0x0000000000B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE521.tmp.cmd
| MD5 | 355450f64b69493338cfc79cad554162 |
| SHA1 | 197c627abcbadcd20133b437add62ffd88da47a4 |
| SHA256 | 6ddfe8b43fea8bcbfdd513ea6a8d55fefbcbd970099f8d0961fe86fc53a82ee9 |
| SHA512 | 78914ea39527f417a6f37394d9986e49179394c30b00055e3c5b2ee744f8cd20a9a47a69682ffecb3a7c5c147282da1edbcc8dd4374e8114b40c7341a0ce6283 |