Overview

overview

7

Static

static

3

bc45ebc527...f9.exe

windows7-x64

7

bc45ebc527...f9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.exe

  • Size

    11.9MB

  • MD5

    4027080d8b6529444fde4b40590a16da

  • SHA1

    cd4deabb4dd53286a8f6a668701cef3ac509e4fc

  • SHA256

    bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9

  • SHA512

    469ba3751e947a881a78911ff76ee2c58ab46cbeb5ccffdfdd115f5c21d3e6601699b86e1ca5243fb15730dc1d45d25c5d24a175e0269fd95712087bac47be06

  • SSDEEP

    196608:DDo0XzQcFz7P/qAhJW7EdqVbkr/87dnoJ1BvcYQh47R2EovZDS5ODqLxj:3o0X8QKAh07EkOr87dnobtShPfZMODqZ

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 16 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.exe
    "C:\Users\Admin\AppData\Local\Temp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\is-52MMT.tmp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-52MMT.tmp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.tmp" /SL5="$40016,12110832,121344,C:\Users\Admin\AppData\Local\Temp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Users\Admin\AppData\Local\Temp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.exe
        "C:\Users\Admin\AppData\Local\Temp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.exe" /verysilent /password=2gbgb
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Users\Admin\AppData\Local\Temp\is-7DHM1.tmp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-7DHM1.tmp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.tmp" /SL5="$4010A,12110832,121344,C:\Users\Admin\AppData\Local\Temp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.exe" /verysilent /password=2gbgb
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\Windows\SysWOW64\msiexec.exe
            "msiexec.exe" -i "C:\Users\Admin\AppData\Local\Temp\is-S35M1.tmp\Spades.msi" -qn
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2884
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5CD79FF80E7D1CD4890FC75617744396
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2772
    • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\shvlzm.exe
      "C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\shvlzm.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76cef7.rbs
    Filesize

    2KB

    MD5

    28bdf779804ea2a6b104e71779d67466

    SHA1

    3ba3b7af55e449a0a2b45f6a6d79dc56f2dea29e

    SHA256

    b0e7dc2bca85c4b7606ed9bb091abf37a2fe00b092139129f66402333b7b7e0e

    SHA512

    8d5b320426d24f93c8ce27e98e1085d821aac60ac7f4184910b7f2e57d448bb30c5e63b99fe3f365b8999d0cca5196465d0283d968f55f9743540bb7198cae8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Microsoft_Games\Spades\shvlzm.exe
    Filesize

    8.6MB

    MD5

    679368412fd482fe978a21313d2a89c5

    SHA1

    6267e3e28881a462d91ec8e558d2988ef8030b6b

    SHA256

    beffe9a402b7721009674866ad773008c90b6af543973abdfb81391af4eb7146

    SHA512

    2f730f6d77d951ede98653b362f8affa331588bf21a60539a60eee23d912ec5d73ca2a05b69e7e7c047b2c264b8b2c260b4f866515238ffbc2b60a1c11b6270c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-S35M1.tmp\Spades.msi
    Filesize

    12.2MB

    MD5

    fffa72462209ca8b0052c7ea2876046f

    SHA1

    8af6a9c4cd018d035a189df6ac14542f92cd3804

    SHA256

    90e04f629719583732fb488460b7ba6aabd3201e3ba94d5cbf612a5c2203ecb6

    SHA512

    2c8c2e599b01d8cfb3cf23a56420e1d8d94c3651a0923fb38b79b54928d707182fc37c327d380765d5a4940fb604ae03e1111516a3ba974847b3100615b480e2

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\19o22.cfg
    Filesize

    33B

    MD5

    0d51520cc9d0696c90fbc721e2ed60c4

    SHA1

    fd64d113afd91a00d624622f681e71dc1d513f5a

    SHA256

    351e1e3e0d7aa85ef3178ded6d2c0d1a57ce228d50511e45f14dfcaaba77962a

    SHA512

    22060018f7bd3c2811058c488b5ce33b203d80450eb3403f5c97ba15da3a8b9dd007d765741609eda756db1af11628ebbb47a37ab8ceb1442783751df22666c5

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\AstClient.dll
    Filesize

    675KB

    MD5

    7bf95a14483346eae890e6f4354c74a8

    SHA1

    7de11b13cfe609d454bdd1393ed3d79a127c1b7c

    SHA256

    719f267e41c95e36f99f5da0b9d5d70054d3e9c16e99fb1122948382b976d614

    SHA512

    ef8b24e6079f05b3f1253e4487e1426639ceb5c1e13ca80046debd224353280e921ea765958f5b3f564983992a294e0242fd7bf4753cce24c51caa86557b51fe

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\AstCrp.dll
    Filesize

    171KB

    MD5

    dbb4bccfe8fee299d555a19865c41921

    SHA1

    a6c494854ca8bec80c05e259a9d8d9346ec61786

    SHA256

    45e87d7421b6b65c207e8d564a4e54dcdab7b104b83341f63d348f8894bde992

    SHA512

    5b5b6091655801c984e87a5de4b8c3771b7ff8a069206662650ba652711db48a4912a613015c2254215ccbd252c475c4a4f00efcb1e0dfb404c6736746a187a4

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\AstRct.dll
    Filesize

    1.7MB

    MD5

    59b0561cc13e47a3d7be7947e9b8a4cf

    SHA1

    172663ab62e420cbd46983f5dfacac3b550cdb4f

    SHA256

    e12baf2c64aed23a6d324fd553d5722e5d5d03d50676a0afe97c4090df3cb7c2

    SHA512

    35d3a4739176c81c5e339c5b64411cd0cbb24b2343792e2af302a585b984c158140a20050fd8015a4d49c2a69bbd31aad82a4f58e8279611ec262499dab6bd41

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\Hatls.dll
    Filesize

    2.1MB

    MD5

    bccf6a5c2595eea84533692bb788d8bb

    SHA1

    24318226f145e52b7633a4e9e844d6ead43b75ac

    SHA256

    abf75de674428e112f90f1c618218ff73ef851f4f09c5f5ba8b69e79a6c74dbf

    SHA512

    78f24f0812aae31e83340adeb1a1ae8c00edfdf483e299706f863cb713bfdc2501b5418ce8f8bd9131e3c704bffb58a8ca05c5e0a75eb19f15e0409c5b74e35b

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\SHFolder.dll
    Filesize

    5.0MB

    MD5

    5b8793493d12ae5eefe9504e53db219e

    SHA1

    d011d3607b398ae48f759187f6ff5225ae8766f9

    SHA256

    7780b89f12c957001baf9fa9e36187ddedee9965c0e56c55a9bb89bd29e48bfd

    SHA512

    9d217eafc7002ea034e2a5c3c578ae9b0d7ba76d4e6731bcb2493a1b1062c2153140adadef3a9a066e134c65244e80c1cbd0a71dde6157ddaed1f51ef4ee7345

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\config.ini
    Filesize

    592B

    MD5

    d0194a86163e4edc6df8d7d18e05e94f

    SHA1

    a6fa3081d4b52ad403cb7e6328323145f825db9d

    SHA256

    bf98bf21fe2e415b0ddcfca143f1470672a621e0b6bf6688c66e0ea32fc38f26

    SHA512

    332dfcb032304b027ba71e9e2f61d828834ee18aca9bd36b3774ee9187550b0b760d2ec9bd55d7bb05c38aa4ea27156dcd56abb302d487dad24cc37338d9856a

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\eng.lng
    Filesize

    41KB

    MD5

    a210c2a3609b1c03df6d0219f74fc543

    SHA1

    78888e250c8af963268ebc467319d71a5061db6b

    SHA256

    3a968020e1532ecaffaef3be8f15b6ecbac3d58d129eb92511deca6904d215f5

    SHA512

    7e866eb3aa958d0ba2132044d7569ac97b20d712372b7343215f8383400231a12b502437a5984f376c81e50aa88b56037767514f94cd33f582b6b5c479f70ed5

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\libcrypto-1_1.dll
    Filesize

    3.0MB

    MD5

    df54355a82c6ce8fdfc02e1b227410ab

    SHA1

    2e9134150f83eda3a55b7dd73d5faf6bfa9de132

    SHA256

    06d30d8a77bf336c16d50a9c9fbf64dccdda5f4e1f6146f7741cecd5492031d3

    SHA512

    29b0c47dee5a8397b3e4f4e322fed2be60937817a9bc931ba77885bbc2f196bc492cceed8f6eb2706ff4c69c3fdf0a01d2682e2c5d0ec05af21511f3af5b5aad

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\libcurl.dll
    Filesize

    534KB

    MD5

    13cd45df8aaa584ebd2a40ede76f1e06

    SHA1

    baa19e6a965621cb315e5f866edc179ef1d6b863

    SHA256

    3ff4e80e327f298a11e116a517be0963a0b3cd376a6a624caffacd586e6b1449

    SHA512

    285d7265ac05cecdd43650e5def9198b5f2f4d63665739baa059598e41f4ce892248d3ca7e793ac274dc05b4c19cfa11c17faea62fc1e3495c94a03851049328

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\libssl-1_1.dll
    Filesize

    925KB

    MD5

    cbefd9f5e05bbf57aed04b098e6f499f

    SHA1

    cbac40bfc062e7aa2befcb91687930bab9c4d241

    SHA256

    e07a95378815fbfc3b2ed21bcae5ba43106a4929273f9bbcc26eff437a3c9ab8

    SHA512

    3d0c320683e90f66a9b76613cfc84af87422fb5eee2375e918c63642b7e72faa70a6383b6e43e565d6bbeec4c8060062000bd40321165fc4b5ede8b213bda049

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\nf6rhik.bmp
    Filesize

    9KB

    MD5

    e658f1d571e39d8da451cf7b324ee8c8

    SHA1

    1870a580b184557b4f3a8270b67c5176d71f3a0c

    SHA256

    ac1f8f3b550b7a10be79790949e2e79fcb67a4d45abbb7b479cc074bbe7e8484

    SHA512

    37c3c70d89964ad0a593c0fe70538120446f9b841de2211ff511643b137b24e2b9fecd719220c4a2389c1559be7518676dac779f0213752b777efa6c86982083

    Download Submit

  • C:\Users\Admin\AppData\Local\programs\Microsoft_Games\Spades\sqlite3.dll
    Filesize

    815KB

    MD5

    c7f02a62ec2be3e345917640fd9e7502

    SHA1

    828f4df3e2ad0c8b04b06cecb0c539391ba09704

    SHA256

    8e85d370cc83174d34d0d6fd9153c37bb184dc9347e5a3bbfc692f9ded7be520

    SHA512

    d3c33df3e7e06bd2beb638a4e17703498cb49da0ce958beaf268784d802bf6069eac236deb0049b6d5b5b1ba252d15a3a0a4e8585730dc69c4604a88f9d38f8a

    Download Submit

  • C:\Windows\Installer\MSICF60.tmp
    Filesize

    584KB

    MD5

    8e565fd81ca10a65cc02e7901a78c95b

    SHA1

    1bca3979c233321ae527d4508cfe9b3ba825dbd3

    SHA256

    7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

    SHA512

    144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-24016.tmp\_isetup\_iscrypt.dll
    Filesize

    2KB

    MD5

    a69559718ab506675e907fe49deb71e9

    SHA1

    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

    SHA256

    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

    SHA512

    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-52MMT.tmp\bc45ebc527331fef076e05cb0f7f0d6cd40d3c2369453d90566b8466f8f1b6f9.tmp
    Filesize

    1.1MB

    MD5

    90fc739c83cd19766acb562c66a7d0e2

    SHA1

    451f385a53d5fed15e7649e7891e05f231ef549a

    SHA256

    821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

    SHA512

    4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

    Download Submit

  • memory/1948-85-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-139-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-165-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-110-0x0000000072A70000-0x0000000072D5E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1948-162-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-159-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-156-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-153-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-150-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-147-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-119-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-121-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-122-0x0000000061E00000-0x0000000061EB8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/1948-120-0x0000000000400000-0x0000000000D04000-memory.dmp

    Filesize

    9.0MB

    Download

  • memory/1948-123-0x0000000072A70000-0x0000000072D5E000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1948-125-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-128-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-132-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-135-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1948-144-0x0000000007000000-0x0000000007510000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2096-99-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2100-0-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2100-21-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2100-2-0x0000000000401000-0x0000000000412000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2120-8-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2120-18-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2720-16-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2720-101-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download