Analysis
-
max time kernel
299s -
max time network
282s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
16-03-2023 12:52
General
-
Target
Bpznb.msi
-
Size
3.8MB
-
MD5
c39fec313f716b37b80ccf946ef5cc83
-
SHA1
7af29257d77bab7ed5a70293abe44da3c1c10c37
-
SHA256
015151bd2d2bfb88389899bfac44b0e17a28db00abc8e1463058d84de40b1925
-
SHA512
0eeb8fa73bbf1886101db96ea376343fae6bae872a264b55feb58a1060c75772f45b5244b005613830e056cd7a58f8307bb54c01417cacd7a57d46542b160291
-
SSDEEP
49152:LpUPlOPlQRNDP9nqI5KKs2p8iYu9ap7QqKHKG+n2H6h1Ug:LpTt4NDVPKB2vinG8n2Hs
Malware Config
Extracted
stealc
http://193.233.20.145
Extracted
laplas
http://193.233.20.134
-
api_key
57728dce0f7018e17faf9f061cb2d77048e08414376baf6d860b78e74e83c208
Signatures
-
Detects Stealc stealer 1 IoCs
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 54 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Bpznb.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 56C14C1AAFFAB653F8F8EF6BF515945A2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-0cb0b36d-ec1d-49e1-918d-1f08f218ebb4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\MW-0cb0b36d-ec1d-49e1-918d-1f08f218ebb4\files\Bpznb.exe"C:\Users\Admin\AppData\Local\Temp\MW-0cb0b36d-ec1d-49e1-918d-1f08f218ebb4\files\Bpznb.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MW-0cb0b36d-ec1d-49e1-918d-1f08f218ebb4\files\Bpznb.exeC:\Users\Admin\AppData\Local\Temp\MW-0cb0b36d-ec1d-49e1-918d-1f08f218ebb4\files\Bpznb.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe"C:\Users\Admin\AppData\Local\Temp\JJKFBFIJJE.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-0cb0b36d-ec1d-49e1-918d-1f08f218ebb4\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD58a2d9b289c19e05fd0379b82f2919a21
SHA197440fb16a4b8c0ede2d527141749aab76a7a252
SHA256158fa2d1f60e6330072d181063c9b6d2c2c19fd92b5400f382f7d95bfaec1fec
SHA512cd553fea1140ebb0231c1ecb618793e6a4746a35129bc7a7c96e066cd17edf0f1fec65ee483784add1c296b06637e4f0ddf1e13c6e9231ec54ee2fc458acd015
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
10.5MB
MD5d75c660c2584891aa2072643e345c941
SHA1cc3ed51870ecd89963428c4d3638c8a99d0ea991
SHA25611b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be
SHA5128a9ab5f164b7268ff56529c35bf97dccedff20f822e2a4daabc97e0af7cfd9f31593df440a337e6b9d84db60e5ed0be6f238545f367dada3012c54f4c61bd7d6
-
Filesize
10.5MB
MD5d75c660c2584891aa2072643e345c941
SHA1cc3ed51870ecd89963428c4d3638c8a99d0ea991
SHA25611b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be
SHA5128a9ab5f164b7268ff56529c35bf97dccedff20f822e2a4daabc97e0af7cfd9f31593df440a337e6b9d84db60e5ed0be6f238545f367dada3012c54f4c61bd7d6
-
Filesize
3.2MB
MD5d48e27fd09c1b7d7efc29939323126fb
SHA1321f957363671d8f0f87eb7a8efac23e5e7252e0
SHA256a74cd4380aa8bdca4391c1a76073bf8ca20c6b605f93d359f46638e994a9d3ce
SHA5123e89a71527a6488b43b19462cbdd00da3650905ae198c94d977dd9140261dfb3d7598da0dd64c197d2629a212498ff65bb29898009d5c757e35465df1b087565
-
Filesize
900.0MB
MD5e8a6986d0f9f178b7fe6b9dede6fbc7d
SHA1591b22364bc3e56209699857a8425976cfa1ea18
SHA256a918b48176792f8fda48ccb3912419cdef9b41731ffff056db86c75341ac1ac0
SHA5121e626856d406567c61dab0b26877a26a5bbafb8ce65bb198f7fe1fec581e9b17648153a4f4112f6bc5fb6dde3cb79d6494ce03e361b3d7ed965b7769e500d9c2
-
Filesize
900.0MB
MD5e8a6986d0f9f178b7fe6b9dede6fbc7d
SHA1591b22364bc3e56209699857a8425976cfa1ea18
SHA256a918b48176792f8fda48ccb3912419cdef9b41731ffff056db86c75341ac1ac0
SHA5121e626856d406567c61dab0b26877a26a5bbafb8ce65bb198f7fe1fec581e9b17648153a4f4112f6bc5fb6dde3cb79d6494ce03e361b3d7ed965b7769e500d9c2
-
Filesize
509.5MB
MD53d4ab834a075e2ffc3af2c233df3dd52
SHA1b9df2e64686efe7604921335548c2a7f49dfd140
SHA256a3fb47939c53e36e44b48f3740704e5a9378d9871ccbf40921577f2aae6308f4
SHA5120c56c1d670735e1160695f2144525c67c21da4fe9ffd438fca76d6893d0082d07326c32308ec7344bcf7fa25cbbf50f49503d3bc1144a2801a4dccf82b9bae4a
-
Filesize
382B
MD5d9dd4fea0fd7f87d415982747e101f03
SHA133e677b7b741a96e9d8c85be54457979b34eb182
SHA2569f8754993451ba12da20ab6e863219f6d551b7b86d4d051c2311fa47ef648b77
SHA512b9201057ce44722dae6f9353fdbdc3d8a0fb9ef0b53f0216b6a4fc9488394543f537f9a20352ec3f72ed6e0daed0eb3bcbc092ac73fdaa5e3a683b129b88b094
-
Filesize
1KB
MD565fc8508e4c36e30d59d93e575fc74b8
SHA11f5c90cdb45f5f76e998ab78c2aa7b8d1696cb63
SHA2562560f0c2f7eca15a8c12b733e335e286ba969f5bc1e0af8e4d040fd52a1cf737
SHA512a5eaf34db08dd19dc1b73e10fd8dc01cbaeb4c139dbbe2a4d685ad55b69165ab2cf3f06d0801a7a66994c75c9d1d21d0ae2328158e987250f8d0ce6dc4dac007
-
Filesize
1KB
MD50e93445bae4dbe90b99c12a20606e78a
SHA1ae96ae94821d58559efd6f3b04d833f94d169a8a
SHA25640c627ea10e693faefe337c3e70b07a96ea163acdf208ad5a929ee0772a0d8ac
SHA512db627b07c0efcc9eb7ae9cce2ba4f06b782a65b1440e98f1ab11fa06aa24f1ad93a53e3e553e879f429844f031eca1f0b8083dfdd9265b7d309cb3360234fc80
-
Filesize
1KB
MD50e93445bae4dbe90b99c12a20606e78a
SHA1ae96ae94821d58559efd6f3b04d833f94d169a8a
SHA25640c627ea10e693faefe337c3e70b07a96ea163acdf208ad5a929ee0772a0d8ac
SHA512db627b07c0efcc9eb7ae9cce2ba4f06b782a65b1440e98f1ab11fa06aa24f1ad93a53e3e553e879f429844f031eca1f0b8083dfdd9265b7d309cb3360234fc80
-
Filesize
1KB
MD54e93a57f0bfa72a2df47ff3154a5daa1
SHA14b336a0d6b24483d6497011b62232ab1b6b22d20
SHA256a55898a21faa81cf3b36f7357af5c15e20b1ddd62cb260140a9f6e5eafa5d557
SHA512e8ce4e24dfad8e765ff32b3333a2089f69b617412e8049a3591ad11989bc280c4f67599215f83210890a5349fc6f2591f64f029ec3e4c5f9241f19b965aad854
-
Filesize
209.3MB
MD55d3c6933898c8d342561e9e5a56c2392
SHA15783d8b21237dd19dd2b3cf76ac7944ff5571138
SHA256281628cea919b48fec138cfea2e68a4596934d6adc2fb75687c28d4de8cff327
SHA512052fe5beef8afb42598345c39e29264c57488bcacd5b7a04261abc1985ff753564e277077613c957ffb1fc27007fba4fe83184f46d0e022f71e6db52e1098423
-
Filesize
207.1MB
MD504bc172a18671f795c91022e91e94140
SHA1402d987b167979d99f1c1bdc1101335bfc066d87
SHA2569f57d845373185b7fc014311672d526e205c012938244d53c37059a215d3fbf5
SHA512386a5b46bbbbcc3851e281fa8f4a97a0fd1e81f9901cc58981748ef4345adfdfc177363fdd4d0cfa7207cd3c2318ae5b740838756ab0e5c26256741966b104a4
-
Filesize
210.1MB
MD5afcf09edebcaac345c6b091098296ff0
SHA11bdcc4b43a43315329c85849626aab7ad48eec71
SHA2565ec6d49b88f7f80f4db7e6f7e7796e27457ab5b73e70e508a972ef752fde1b2e
SHA5125890974a00c7f996b11f0a6f8be146179bf67408cac1bf1baaa5670c5e89ba9225f1de972c21d84c52108bef404cd9133b1bad4a44dd0e9b0f1c481fd3ffc081
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
23.0MB
MD5d5ba1b07de1dbafae0d62d58f2bafe7c
SHA14821c2c1bdfc563951985f6ad2dfda51c68600ca
SHA25678800f551562b033c0ea4313160aa1b8f0464e0cc950ff3046c19e8b7c87b333
SHA51249acc5e64d7161ce844fd70858f2e66b01fe64f942f5baef64f80e369a0091a4fd9af6f2e835a5fd1acba5c6b535b3809cadd01e54f9c2383d753222deb7db98
-
Filesize
5KB
MD5f0ab76e10dc5e5be85ca02e15aa50ff3
SHA18f4aa51e1fde6b4db1fb50ba5027aace53e7020f
SHA256ba4e551ed2df9cf5e3620b026004186522e761a4a5bcd31bd152548ec6f67c3f
SHA512aab199c60937e5898b818483c990ca0f04b82c97f2309c3c6216a2a4f9cabc915f63902c91b3b21fbaa38bff99021d142759b609e06ba7b62ac452dd10bbe1f0
-
Filesize
2.2MB
-
Filesize
972KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
10.8MB
-
Filesize
4.0MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
17.2MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
17.2MB
-
Filesize
4.0MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
17.2MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
2.8MB