e63c6f3e382610933bfa3229550cdb7ff7d1fa69cc44379ba720f49983d3afc1

Analysis

max time kernel
40s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
31-10-2020 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BubbleBrowserMaintenance.exe
Size

567KB
MD5

477fa159316a4d4f6341aa21a81d9522
SHA1

1bd0b6d9782bfceda6a374adcc0329aee52b074c
SHA256

e63c6f3e382610933bfa3229550cdb7ff7d1fa69cc44379ba720f49983d3afc1
SHA512

27c86effb5b4c8074fd729dc766cb0082f091a1eeeb4acc0584c8ee565cf36118ae46674849cc682a6109a540488722bd868a87b2f88c8c64cf04ed611446898

Score

8^/10

discovery spyware

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

910168.exe78210.exe817557.exe910168.exe

pid process

1516 910168.exe
3132 78210.exe
3100 817557.exe
1324 910168.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

910168.exe

description pid process target process

PID 1516 set thread context of 1324 1516 910168.exe 910168.exe

pid	process
1516	910168.exe
3132	78210.exe
3100	817557.exe
1324	910168.exe

flow	ioc
22	api.ipify.org

description	pid	process	target process
PID 1516 set thread context of 1324	1516	910168.exe	910168.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

910168.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	910168.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	910168.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

817557.exe78210.exe910168.exe

pid process

3100 817557.exe
3132 78210.exe
3100 817557.exe
3132 78210.exe
1324 910168.exe
1324 910168.exe

pid	process
3100	817557.exe
3132	78210.exe
3100	817557.exe
3132	78210.exe
1324	910168.exe
1324	910168.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

BubbleBrowserMaintenance.exe910168.exe78210.exe817557.exe

description	pid	process
Token: SeDebugPrivilege	3240	BubbleBrowserMaintenance.exe
Token: SeDebugPrivilege	1516	910168.exe
Token: SeDebugPrivilege	3132	78210.exe
Token: SeDebugPrivilege	3100	817557.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

BubbleBrowserMaintenance.execmd.execmd.execmd.exe910168.exe

description	pid	process	target process
PID 3240 wrote to memory of 2128	3240	BubbleBrowserMaintenance.exe	cmd.exe
PID 3240 wrote to memory of 2128	3240	BubbleBrowserMaintenance.exe	cmd.exe
PID 3240 wrote to memory of 2128	3240	BubbleBrowserMaintenance.exe	cmd.exe
PID 2128 wrote to memory of 1516	2128	cmd.exe	910168.exe
PID 2128 wrote to memory of 1516	2128	cmd.exe	910168.exe
PID 2128 wrote to memory of 1516	2128	cmd.exe	910168.exe
PID 3240 wrote to memory of 1360	3240	BubbleBrowserMaintenance.exe	cmd.exe
PID 3240 wrote to memory of 1360	3240	BubbleBrowserMaintenance.exe	cmd.exe
PID 3240 wrote to memory of 1360	3240	BubbleBrowserMaintenance.exe	cmd.exe
PID 1360 wrote to memory of 3132	1360	cmd.exe	78210.exe
PID 1360 wrote to memory of 3132	1360	cmd.exe	78210.exe
PID 1360 wrote to memory of 3132	1360	cmd.exe	78210.exe
PID 3240 wrote to memory of 3896	3240	BubbleBrowserMaintenance.exe	cmd.exe
PID 3240 wrote to memory of 3896	3240	BubbleBrowserMaintenance.exe	cmd.exe
PID 3240 wrote to memory of 3896	3240	BubbleBrowserMaintenance.exe	cmd.exe
PID 3896 wrote to memory of 3100	3896	cmd.exe	817557.exe
PID 3896 wrote to memory of 3100	3896	cmd.exe	817557.exe
PID 3896 wrote to memory of 3100	3896	cmd.exe	817557.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe
PID 1516 wrote to memory of 1324	1516	910168.exe	910168.exe

C:\Users\Admin\AppData\Local\Temp\BubbleBrowserMaintenance.exe
"C:\Users\Admin\AppData\Local\Temp\BubbleBrowserMaintenance.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\268973.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\ProgramData\910168.exe
C:\ProgramData\910168.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\ProgramData\910168.exe
"C:\ProgramData\910168.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\78210.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\ProgramData\78210.exe
C:\ProgramData\78210.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\817557.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\ProgramData\817557.exe
C:\ProgramData\817557.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\268973.bat
MD5
5c8925172783871cfd84e0a97bfac7af

SHA1
ab70def33daca505372c89dd1455efd09aee0e1d

SHA256
8cdb3afa527780937fd4bb9e5454993b4679d1002006a78a6ee28660e6f0f085

SHA512
2b77d0b6bd7b085119eff9dff239a96ad24ea4d335bf5be717225c6997532c1ffdc51f1f18ddb711ff9bc38652c26a4da4a2f733fd4cdcfddc9d1b47f84e775b

Download Submit
C:\ProgramData\78210.bat
MD5
7bc4db159ac17da347b082690c922ada

SHA1
77ef91145f96a33876dcc7069a3746b0a3da2e3e

SHA256
ae8c26d88741b6ca5978126a197eaadd9ce1d0df50bcd7fc738b88ea603ce143

SHA512
dfd3d1556978ebac5e2ac50a22716543f4a7e4b6a06186192016381bc299631ed8f33dba90f1109af16918a041cde0e24485753590f0c2703459141de7f5f32c

Download Submit
C:\ProgramData\78210.exe
MD5
99629f1b588fc022ee4938b33275426b

SHA1
ad4a19bd2b573271021f01c050458749c8947e68

SHA256
088ddff3b9e8c85d9c4861dcd0a5ead06c80dcba8d9f325def725721229a5af4

SHA512
b56c39d669c69f541c0ca91d23818ce16854852f5e5f3b69659e72a95cf89c86086ff086ff29521ef11c1d2f3776974759d43d03b2409e39c705996d0943ba82

Download Submit
C:\ProgramData\78210.exe
MD5
99629f1b588fc022ee4938b33275426b

SHA1
ad4a19bd2b573271021f01c050458749c8947e68

SHA256
088ddff3b9e8c85d9c4861dcd0a5ead06c80dcba8d9f325def725721229a5af4

SHA512
b56c39d669c69f541c0ca91d23818ce16854852f5e5f3b69659e72a95cf89c86086ff086ff29521ef11c1d2f3776974759d43d03b2409e39c705996d0943ba82

Download Submit
C:\ProgramData\817557.bat
MD5
b2bce577d17923aa1fddeba12ef62008

SHA1
5360657747dcb0d1c954e4534604d2e77717917d

SHA256
7f6841531a8ba065ffac9e58a2837761f0f7496c79a0e9c776bfd528992a2373

SHA512
39e901d3ca43e02734646a787f3dfaa456fe4cbbff0c01dc9b54c50351b64aac18853e12b73d1c16c67d18ce4794080fbd8f23e680c951c6c773562fd78cfa6c

Download Submit
C:\ProgramData\817557.exe
MD5
8091d2a16dd317ac22b435c1ab70e62f

SHA1
b0b12a3931b4945ea350af250aac95c863fada25

SHA256
5cd880c362ffb0f0e3c5e8b3d235c8e2f254ab382cec9bc6e3a887f2177b7e2f

SHA512
ea05c33cbc18867c4730a6b9d1be621695a66eb0dee2463bcb14f8ef01521c573a05a4e867331b45b13451237603ede42e15c14f5244b7fc130764e04cc6af55

Download Submit
C:\ProgramData\817557.exe
MD5
8091d2a16dd317ac22b435c1ab70e62f

SHA1
b0b12a3931b4945ea350af250aac95c863fada25

SHA256
5cd880c362ffb0f0e3c5e8b3d235c8e2f254ab382cec9bc6e3a887f2177b7e2f

SHA512
ea05c33cbc18867c4730a6b9d1be621695a66eb0dee2463bcb14f8ef01521c573a05a4e867331b45b13451237603ede42e15c14f5244b7fc130764e04cc6af55

Download Submit
C:\ProgramData\910168.exe
MD5
2cf01c6c1473eca8ae4003751446731b

SHA1
ecfe6c077933d259492eb5f6d8992d59f0dc9cc9

SHA256
cf91ee51bc83324caf636eb63da1041ca207263a8a1d30d42881897c6f222b28

SHA512
07d04012110cffe46093d3ce6c4ad3cffffdbc8eb12333beb6534b2db90241426e431f190c2790fec857a471ec17f0b2611f4f85cbdb17a0ea8f70e1fbcf8f4f

Download Submit
C:\ProgramData\910168.exe
MD5
2cf01c6c1473eca8ae4003751446731b

SHA1
ecfe6c077933d259492eb5f6d8992d59f0dc9cc9

SHA256
cf91ee51bc83324caf636eb63da1041ca207263a8a1d30d42881897c6f222b28

SHA512
07d04012110cffe46093d3ce6c4ad3cffffdbc8eb12333beb6534b2db90241426e431f190c2790fec857a471ec17f0b2611f4f85cbdb17a0ea8f70e1fbcf8f4f

Download Submit
C:\ProgramData\910168.exe
MD5
2cf01c6c1473eca8ae4003751446731b

SHA1
ecfe6c077933d259492eb5f6d8992d59f0dc9cc9

SHA256
cf91ee51bc83324caf636eb63da1041ca207263a8a1d30d42881897c6f222b28

SHA512
07d04012110cffe46093d3ce6c4ad3cffffdbc8eb12333beb6534b2db90241426e431f190c2790fec857a471ec17f0b2611f4f85cbdb17a0ea8f70e1fbcf8f4f

Download Submit
memory/1324-48-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1324-49-0x0000000000401480-mapping.dmp

Download
memory/1324-51-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1360-12-0x0000000000000000-mapping.dmp

Download
memory/1516-10-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1516-9-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/1516-47-0x0000000004E80000-0x0000000004E96000-memory.dmp

Filesize
88KB

Download
memory/1516-46-0x0000000004F00000-0x0000000004F56000-memory.dmp

Filesize
344KB

Download
memory/1516-6-0x0000000000000000-mapping.dmp

Download
memory/2128-4-0x0000000000000000-mapping.dmp

Download
memory/3100-36-0x000000000AC50000-0x000000000AC75000-memory.dmp

Filesize
148KB

Download
memory/3100-44-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/3100-38-0x000000000AD10000-0x000000000AD11000-memory.dmp

Filesize
4KB

Download
memory/3100-35-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/3100-29-0x0000000000000000-mapping.dmp

Download
memory/3100-33-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3100-32-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/3132-17-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/3132-22-0x000000000A390000-0x000000000A391000-memory.dmp

Filesize
4KB

Download
memory/3132-23-0x000000000A370000-0x000000000A371000-memory.dmp

Filesize
4KB

Download
memory/3132-21-0x0000000004BE0000-0x0000000004C05000-memory.dmp

Filesize
148KB

Download
memory/3132-27-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3132-42-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/3132-14-0x0000000000000000-mapping.dmp

Download
memory/3132-20-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/3132-18-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3240-0-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/3240-3-0x00000000048E0000-0x0000000004944000-memory.dmp

Filesize
400KB

Download
memory/3240-1-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3896-26-0x0000000000000000-mapping.dmp

Download