bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
Size

4.8MB
MD5

fa080621f54ec72099a393c75140f896
SHA1

d09fdf00b2c22d628284f3c6b31871f277597090
SHA256

bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2
SHA512

341cc2f03237bde5acf220a893c1148abbd82cbb778c21db096d7f1bd7c285e8df1a3b91805137e6932aebcaa41f3968d888ee51730a6eb322afe1d63e6673eb
SSDEEP

98304:/BCHQcsibw8SPLQTtSQo5Z8DERxrfExYzzjQftLbMGk0/K9h9w:5CwcXMHLgy6txejWMGkGKz

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2196	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
2196	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
2196	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
2196	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
2196	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
2196	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
2196	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
2196	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	2196	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2196	1860	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe	28
PID 1860 wrote to memory of 2196	1860	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe	28
PID 1860 wrote to memory of 2196	1860	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe	28
PID 1860 wrote to memory of 2196	1860	bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe	28

C:\Users\Admin\AppData\Local\Temp\bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
"C:\Users\Admin\AppData\Local\Temp\bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe
  "C:\Users\Admin\AppData\Local\Temp\bc4585ed5e0bbe17ed4527d94b801818ca3bf45b22caee74f004b25bbc1879e2.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI18602\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\_ctypes.pyd

Filesize
83KB

MD5
5d1bc1be2f02b4a2890e921af15190d2

SHA1
057c88438b40cd8e73554274171341244f107139

SHA256
97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

SHA512
9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\base_library.zip

Filesize
717KB

MD5
cac660ab8c3c0de1ff2f0489b949c554

SHA1
76f23543e0859dd806d756be451269752e519a52

SHA256
d64d4e49831a3a25f98410fabb8fcc15546912f58d0fdb11dd0f245e2d535bd2

SHA512
cea62309b59e5c82bbd772a446e8746ca76e44a2b924ac6517137a14545fce9d3429500858d4279154058482e5c8e3461e410410622363332fc02fde38061250

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\python34.dll

Filesize
2.6MB

MD5
998085f5da30574e6d6fd8ae1c693d04

SHA1
4e96027fe8dddb131266b95c77772c1d9a024412

SHA256
9366323f45061e953f42cbc51738535a21710f3cf0af395f316eb7966d08d9d9

SHA512
440f841d43537d3f4af6ba6c5b4b8ccb1bd429f6c59a16fe07fa501b7b4bfba79f4df08906e654afea5a94b9f4428ba03083e79b4b452013674ec443a89e41e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\pywintypes34.dll

Filesize
103KB

MD5
d359238f711bf21a65d447d2efe8962b

SHA1
ba8c7e0ccc15a69f45f96a997d1bd27ebb9daade

SHA256
9a279dd91a80b8811d6303fbbfc4f5fd1321d68f6d6028113061bbd8a46fc3a4

SHA512
a285f98fdefd48b3955454701baff28d2bb112eb799b3ce40b04b20dcec87e254b209bd970b82f09c47900d064eff51b325ef52452e69f83edbc0372625a9311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\vWeed706.exe.manifest

Filesize
1KB

MD5
c037f0b6ff59182a263ae3fd3c4084cc

SHA1
2e105fe89754eac5899dad2370630a38dac2797d

SHA256
79b9e78bfb4f7d02b74b1eb23a034dcbf79d730a1ad3f7bfd4302e70416e7680

SHA512
46b068f0556ac9c8c5747cc9d60e137b2adb0def74c8fd5d0b4f780366ff9cf92af32ef2f2ddd5f84f9bac84d8025bbf1d0bf6f1085d69e34c3576fdd4a3acb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\win32api.pyd

Filesize
95KB

MD5
a3f2f5f4239be835b3329fe95e1009e2

SHA1
3825178b147b843052cd23abad7e379bfc0f9dcd

SHA256
0cc7c2e15590291a0969a943d046fe2c96f02bad6a8de9147689b194560afcc1

SHA512
7b4abf0da74ee794ba036498381f5424c49f11fa9fbc7e6ad9107223c55f1c944934361b44935233c0fec39a9dbf1e6a17fdbb115dd9b6c999510be7cc2e9019

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18602\win32pdh.pyd

Filesize
25KB

MD5
07c09525e3a2ce1c637d5393d7a0bae6

SHA1
cb5bae5e4309afef43a501ed58b8b0d9dd91faef

SHA256
679f4c7008abdf87cbfc02add1d60936bbdc518f380e90e7af214b338811ca7b

SHA512
e9f9638376dbabc20330a49e7cffcd55e7da7adc5e1bebb1309605b30d3cb959e6f3cbac8cfd915c7e5d373b6810ebaf120124181b421fb101ec8bb3382b7bbf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18602\Crypto.Cipher._AES.pyd

Filesize
29KB

MD5
3c4ab2e06feb6e4ca1b7a1244055671a

SHA1
a4c3c44b45248b7cf53881e6d8efa8d557e100a9

SHA256
c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23

SHA512
7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18602\_socket.pyd

Filesize
46KB

MD5
ebc931925d333427e182eb58eb4cecce

SHA1
90a811fa23c1ea1244eddef5f3371411af354fd6

SHA256
e29cc2340a9577f82c45abe6707e2817575ee02ac374f4864885410d411e6bea

SHA512
52767f0e49a600ab6b025265cd0220dfd84c24ccec24f7268974123cad41a287a015021357ec4b88eae0dc0dd2517bb5d07f1aaaf08fd36e7bedd0fab8047ab9

Download Submit
memory/1860-47-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2196-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download