54cdce4be37c4ce2ef3f5a3adfcfdf22f002f345500db57098bd29a49d7b60a9

General

Target

1.bat
Size

4KB
MD5

22eacca2035b4f78dbd5c591d4555343
SHA1

adb82749c10765524011b4ed30388d86e252ed69
SHA256

54cdce4be37c4ce2ef3f5a3adfcfdf22f002f345500db57098bd29a49d7b60a9
SHA512

55e97b4b59df77de865b9880776fbe75fbc25d7b211d4ed64fcb9c02ae9fa7c5bea00350a7396bcef46b8d7ce5e0f0c0e99e7b8f42f4513ffe448a90966303c4

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Suspected Bizarro Banker Activity (POST)
suricata
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1504 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

OyBNn.exe

pid process

900 OyBNn.exe
Loads dropped DLL 1 IoCs

Processes:

OyBNn.exe

pid process

900 OyBNn.exe

flow	pid	process
4	1504	powershell.exe

pid	process
900	OyBNn.exe

pid	process
900	OyBNn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\eBxomhT = "\"C:\\Users\\Public\\BFrEflPt\\OyBNn.exe\" \"C:\\Users\\Public\\BFrEflPt\\OTPDZYpr\" \"C:\\Users\\Public\\BFrEflPt\\eBxomhT\""	powershell.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

OyBNn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "No"	OyBNn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No"	OyBNn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No"	OyBNn.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OyBNn.exe

pid process

900 OyBNn.exe

pid	process
900	OyBNn.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exeOyBNn.exe

pid	process
1504	powershell.exe
1504	powershell.exe
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1504 powershell.exe
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

powershell.exeOyBNn.exe

pid process

1504 powershell.exe
1504 powershell.exe
1504 powershell.exe
900 OyBNn.exe
900 OyBNn.exe
900 OyBNn.exe
900 OyBNn.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

OyBNn.exe

pid process

900 OyBNn.exe
900 OyBNn.exe
900 OyBNn.exe

description	pid	process
Token: SeDebugPrivilege	1504	powershell.exe

pid	process
900	OyBNn.exe
900	OyBNn.exe
900	OyBNn.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

cmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 628 wrote to memory of 1656	628	cmd.exe	cmd.exe
PID 628 wrote to memory of 1656	628	cmd.exe	cmd.exe
PID 628 wrote to memory of 1656	628	cmd.exe	cmd.exe
PID 1656 wrote to memory of 1720	1656	cmd.exe	chcp.com
PID 1656 wrote to memory of 1720	1656	cmd.exe	chcp.com
PID 1656 wrote to memory of 1720	1656	cmd.exe	chcp.com
PID 628 wrote to memory of 1256	628	cmd.exe	chcp.com
PID 628 wrote to memory of 1256	628	cmd.exe	chcp.com
PID 628 wrote to memory of 1256	628	cmd.exe	chcp.com
PID 628 wrote to memory of 1632	628	cmd.exe	cmd.exe
PID 628 wrote to memory of 1632	628	cmd.exe	cmd.exe
PID 628 wrote to memory of 1632	628	cmd.exe	cmd.exe
PID 1632 wrote to memory of 1648	1632	cmd.exe	cmd.exe
PID 1632 wrote to memory of 1648	1632	cmd.exe	cmd.exe
PID 1632 wrote to memory of 1648	1632	cmd.exe	cmd.exe
PID 1632 wrote to memory of 1504	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 1504	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 1504	1632	cmd.exe	powershell.exe
PID 1504 wrote to memory of 900	1504	powershell.exe	OyBNn.exe
PID 1504 wrote to memory of 900	1504	powershell.exe	OyBNn.exe
PID 1504 wrote to memory of 900	1504	powershell.exe	OyBNn.exe
PID 1504 wrote to memory of 900	1504	powershell.exe	OyBNn.exe
PID 628 wrote to memory of 1952	628	cmd.exe	chcp.com
PID 628 wrote to memory of 1952	628	cmd.exe	chcp.com
PID 628 wrote to memory of 1952	628	cmd.exe	chcp.com

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\chcp.com
chcp
3⤵
PID:1720

C:\Windows\system32\chcp.com
chcp 708
2⤵
PID:1256

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo %bv4jve9jmIJbsBKNh% "
3⤵
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ep bypass -nop -win 1 -
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Public\BFrEflPt\OyBNn.exe
"C:\Users\Public\BFrEflPt\OyBNn.exe" OTPDZYpr eBxomhT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:900

C:\Windows\system32\chcp.com
chcp 437
2⤵
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\BFrEflPt\OTPDZYpr
MD5
305267684e1173cf3dc972eb8f091da5

SHA1
a9e415f2d21348c9cd84281f9379ea4c16754d7b

SHA256
221c7b66f5e3ddb0dce391bbe1b3aa610c568ee4a0599a5da8ba1ba557ca9bb0

SHA512
8f85d2782a3c63b06713f5a87308ee0db3a855da45d7426bfebaca4aedb1f3d78ae3710a43695c4c25051a834a7c8af931622ee94fa2af28c3f3888e728cd23d

Download Submit
C:\Users\Public\BFrEflPt\OyBNn.exe
MD5
01f601da6304451e0bc17cf004c97c43

SHA1
1aa363861d1cfc45056068de0710289ebbfcb886

SHA256
945adada6cf6698b949359d9b395a5f905989d0d1eb84f537de492ecc1263148

SHA512
cc74c0b016ab1f53069f6ffbe1e35373090a64ad5630cefbb70e72febdd00fb2d885838e5b9836382bf4b160998a08d7ce149071c73b10aa4320bca00805cb6b

Download Submit
C:\Users\Public\BFrEflPt\eBxomhT.DLL
MD5
accaacf8539040c927f65dabb0dce397

SHA1
b9020895d761fa03c25739302cec95fd80740abc

SHA256
445a563899aed8b661ba2362bed89f4c92bcc8e22de32922217a39139f681cc6

SHA512
4ac02d0e2724b1fe1c23a3780e210410205dac56a100f12bab19b8b87504eb22e79ccf732ed5acb2323d1627fd29d27dfd9932b99827a1e417ee770795bb0999

Download Submit
\Users\Public\BFrEflPt\eBxomhT.dll
MD5
accaacf8539040c927f65dabb0dce397

SHA1
b9020895d761fa03c25739302cec95fd80740abc

SHA256
445a563899aed8b661ba2362bed89f4c92bcc8e22de32922217a39139f681cc6

SHA512
4ac02d0e2724b1fe1c23a3780e210410205dac56a100f12bab19b8b87504eb22e79ccf732ed5acb2323d1627fd29d27dfd9932b99827a1e417ee770795bb0999

Download Submit
memory/900-85-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/900-86-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/900-75-0x0000000000000000-mapping.dmp

Download
memory/900-84-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/900-83-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/900-82-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/900-87-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/900-88-0x0000000002FA0000-0x0000000003CA0000-memory.dmp

Filesize
13.0MB

Download
memory/900-77-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/900-89-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1256-61-0x0000000000000000-mapping.dmp

Download
memory/1504-66-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1504-69-0x000000001ABE0000-0x000000001ABE2000-memory.dmp

Filesize
8KB

Download
memory/1504-73-0x000000001C550000-0x000000001C551000-memory.dmp

Filesize
4KB

Download
memory/1504-72-0x000000001B720000-0x000000001B721000-memory.dmp

Filesize
4KB

Download
memory/1504-71-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1504-64-0x0000000000000000-mapping.dmp

Download
memory/1504-70-0x000000001ABE4000-0x000000001ABE6000-memory.dmp

Filesize
8KB

Download
memory/1504-74-0x000000001ABC0000-0x000000001ABC1000-memory.dmp

Filesize
4KB

Download
memory/1504-68-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1504-67-0x000000001AC60000-0x000000001AC61000-memory.dmp

Filesize
4KB

Download
memory/1504-65-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1632-62-0x0000000000000000-mapping.dmp

Download
memory/1648-63-0x0000000000000000-mapping.dmp

Download
memory/1656-59-0x0000000000000000-mapping.dmp

Download
memory/1720-60-0x0000000000000000-mapping.dmp

Download
memory/1952-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads