bcb43e540324aec08aad7401c57c64000e7e4ccc20efa5f64072e7a664d9492f

Analysis

max time kernel
30s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2023 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BruteForcers PACK/BruteForcers PACK/BTC BRUTE CHECKER 3.1/dllsys/bchainHost.exe
Size

523KB
MD5

b2c404ca1131f26172840d5a8ebe057d
SHA1

4e9c9722d3516212cde254a812e4c653756ab643
SHA256

e45b782daa60730a5d52bb4c59856e98fb073ecd7b5dc47eeeecd2c7fe46e9c1
SHA512

e4dc9ff863b75a298a1e139feabd1455aec0f822def9811e7fc814474e7b15637f17febc2f3c1af17933d29756c69d5cf38a1ce3a2aa4ea0989afa7b850d1e1d
SSDEEP

12288:m0v0okAQh7/ojoRgLwAQh7nQf+rEA2oYpB+BKVRoJbVaJup:R+DojfK8f+rEA2jpeVVaJu

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bchainHost.exe

pid process

5052 bchainHost.exe
5052 bchainHost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bchainHost.exe

description pid process target process

PID 4856 set thread context of 5052 4856 bchainHost.exe bchainHost.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4980 5052 WerFault.exe bchainHost.exe

pid	process
5052	bchainHost.exe
5052	bchainHost.exe

description	pid	process	target process
PID 4856 set thread context of 5052	4856	bchainHost.exe	bchainHost.exe

pid	pid_target	process	target process
4980	5052	WerFault.exe	bchainHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

bchainHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	bchainHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	bchainHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	bchainHost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

bchainHost.exe

pid process

4856 bchainHost.exe

pid	process
4856	bchainHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bchainHost.exe

description	pid	process	target process
PID 4856 wrote to memory of 5052	4856	bchainHost.exe	bchainHost.exe
PID 4856 wrote to memory of 5052	4856	bchainHost.exe	bchainHost.exe
PID 4856 wrote to memory of 5052	4856	bchainHost.exe	bchainHost.exe
PID 4856 wrote to memory of 5052	4856	bchainHost.exe	bchainHost.exe

C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\BTC BRUTE CHECKER 3.1\dllsys\bchainHost.exe
"C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\BTC BRUTE CHECKER 3.1\dllsys\bchainHost.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\BTC BRUTE CHECKER 3.1\dllsys\bchainHost.exe
"C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\BTC BRUTE CHECKER 3.1\dllsys\bchainHost.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1692
3⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5052 -ip 5052
1⤵
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4856-133-0x00000000003C0000-0x0000000000448000-memory.dmp

Filesize
544KB

Download
memory/4856-134-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4856-139-0x0000000002750000-0x0000000002753000-memory.dmp

Filesize
12KB

Download
memory/5052-135-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5052-137-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5052-138-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5052-140-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5052-141-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5052-142-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download