Overview

overview

8

Static

static

3

6234685458...fN.exe

windows7-x64

8

6234685458...fN.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62346854582332ba2b0c68acbb1685776372a2c13aad80cc1c3937e265874b0fN.exe

  • Size

    266KB

  • MD5

    a529a8193d8afea364ea8ce6abe0ca20

  • SHA1

    ac0a275a3a506399e90195d4f73e89e4ea77358d

  • SHA256

    62346854582332ba2b0c68acbb1685776372a2c13aad80cc1c3937e265874b0f

  • SHA512

    a656b3f4899f504f7964f7eaab3ab30c183f9c18a3f471f02a248758c0ac09cc4462f054764182c175fce8c6b0a71a882455ce24685b8ef320666b32c1861e98

  • SSDEEP

    6144:1RnQDj+U72wXnrt5d9AwKUFokmQZuUkBygMRuAK+c:TQ+U7dt5E6p92+An

Score
8/10
discoveryexecutionpersistence

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62346854582332ba2b0c68acbb1685776372a2c13aad80cc1c3937e265874b0fN.exe
    "C:\Users\Admin\AppData\Local\Temp\62346854582332ba2b0c68acbb1685776372a2c13aad80cc1c3937e265874b0fN.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\blockBB.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\SysWOW64\sc.exe
        sc create privtorador binpath= "cmd /K start /wait regini C:\Windows\regBB.dll" type= own type= interact
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4796
      • C:\Windows\SysWOW64\sc.exe
        sc start privtorador
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:220
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\blockCef.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo s"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3748
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Program Files (x86)\Scpad\scpsssh2.dll" /D Administrador
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2520
      • C:\Windows\SysWOW64\sc.exe
        sc create privtorador2 binpath= "cmd /K start /wait regini C:\Windows\regCef.dll" type= own type= interact
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2732
      • C:\Windows\SysWOW64\sc.exe
        sc start privtorador2
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1320
  • C:\Windows\system32\cmd.exe
    cmd /K start /wait regini C:\Windows\regBB.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\system32\regini.exe
      regini C:\Windows\regBB.dll
      2⤵
      • Modifies registry class
      PID:3528
  • C:\Windows\system32\cmd.exe
    cmd /K start /wait regini C:\Windows\regCef.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\system32\regini.exe
      regini C:\Windows\regCef.dll
      2⤵
      • Modifies registry class
      PID:3972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\blockbb.bat
    Filesize

    150B

    MD5

    f430aa73c8c7a904f16c4fb08a0631c9

    SHA1

    21bfbfae75073175b26728c31e8538e8192a580a

    SHA256

    8a32ea32a4be25484356fa74eeab522ac946975855744576d05b56d6f647119d

    SHA512

    34a8c2f71fc8298c648ede8e8e26233ff29c05e8de881703b3270d5215f7d7d84f11163e166df05b36d8e7998246e2cf13af1420b3f81d0908a0fcdbd6acc240

    Download Submit

  • C:\Windows\blockcef.bat
    Filesize

    221B

    MD5

    26c836dd8f5c1a52e0ac8f0fb2118018

    SHA1

    6c6618d782d3a3917e590ba693cefc57a4e0165b

    SHA256

    c6db26b8e0e4805a8abf8cc399e31ee32300ec6cd2a51ab3554cdaea67a91a9e

    SHA512

    b734b61c58527bfd6ecfe08e38b1316278e1dff981123394e11678c77d7a98ee37a6b454a95a59725af33abffa8de4471f1a13ec1211d39a3372cfa9e4d78952

    Download Submit

  • C:\Windows\regBB.dll
    Filesize

    602B

    MD5

    75c88f0e4063fa4b2740ffde7e807e4f

    SHA1

    e114692c54a81070e83d5f731580e70e804ad957

    SHA256

    f3cc1573fb86fb2837d6a5c4b8e83a76a2a37ad00433b63e10e29a22887597df

    SHA512

    251050bfa49fff4c0290f27afbf01c38c113e2628a262bbb5f7da6b7c6460704caded48cf62af27a58b4df898dc893d9e72be396d68c61395ca0e77dbf9ef7af

    Download Submit

  • C:\Windows\regCef.dll
    Filesize

    602B

    MD5

    3aa8185e72179791676feea73a81a955

    SHA1

    cfdf18b9c6bc2177191082e362faefdddf913fdc

    SHA256

    d7c9dec38ef63025ebd78812d7b2c33e9372510953e9fadd0c54f46c23a51e2d

    SHA512

    ca8692afdcbd17cba8dd652c5a088e247b5ddee2dbfc351188f9f7bb7b407eae834e04cbaca3360079b5f9d38518a3fbfbe0e215a2f58ff10a11be3cdd73f971

    Download Submit

  • memory/2008-0-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2008-1-0x00000000022B0000-0x00000000022B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2008-2-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2008-4-0x00000000022B0000-0x00000000022B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2008-15-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2008-16-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download

  • memory/2008-18-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

    Download