Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
21-09-2023 12:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
BTSOU v23.05.08/BTSOU.exe
Resource
win7-20230831-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
BTSOU v23.05.08/BTSOU.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
BTSOU v23.05.08/Interop.ThunderAgentLib.dll
Resource
win7-20230831-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
BTSOU v23.05.08/Interop.ThunderAgentLib.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
BTSOU v23.05.08/MySql.Data.dll
Resource
win7-20230831-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
BTSOU v23.05.08/MySql.Data.dll
Resource
win10v2004-20230915-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
BTSOU v23.05.08/BTSOU.exe
-
Size
828KB
-
MD5
ca17d9e5739b1caccf35d4669837364a
-
SHA1
77b77a3bea786df780fb4bca0217dc6004cc85e6
-
SHA256
fdae52dad1bf5af405db35d6b45411b6a70ff7e05f43df22f0d021edbafc8e5e
-
SHA512
336d7aab6dc0e89e5b33f378a08c73ec3e0d309339a43ff5a826c5799686996b806b3ca6744282cd940fda79acbf5df204350411db2e6827a798704737728b45
-
SSDEEP
12288:ZkQ9kWJRNmmquANVANgAy8R828R8SvH0:ZkMkEANVANL+D+L
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2956 BTSOU.exe Token: SeIncreaseQuotaPrivilege 2640 WMIC.exe Token: SeSecurityPrivilege 2640 WMIC.exe Token: SeTakeOwnershipPrivilege 2640 WMIC.exe Token: SeLoadDriverPrivilege 2640 WMIC.exe Token: SeSystemProfilePrivilege 2640 WMIC.exe Token: SeSystemtimePrivilege 2640 WMIC.exe Token: SeProfSingleProcessPrivilege 2640 WMIC.exe Token: SeIncBasePriorityPrivilege 2640 WMIC.exe Token: SeCreatePagefilePrivilege 2640 WMIC.exe Token: SeBackupPrivilege 2640 WMIC.exe Token: SeRestorePrivilege 2640 WMIC.exe Token: SeShutdownPrivilege 2640 WMIC.exe Token: SeDebugPrivilege 2640 WMIC.exe Token: SeSystemEnvironmentPrivilege 2640 WMIC.exe Token: SeRemoteShutdownPrivilege 2640 WMIC.exe Token: SeUndockPrivilege 2640 WMIC.exe Token: SeManageVolumePrivilege 2640 WMIC.exe Token: 33 2640 WMIC.exe Token: 34 2640 WMIC.exe Token: 35 2640 WMIC.exe Token: SeIncreaseQuotaPrivilege 2640 WMIC.exe Token: SeSecurityPrivilege 2640 WMIC.exe Token: SeTakeOwnershipPrivilege 2640 WMIC.exe Token: SeLoadDriverPrivilege 2640 WMIC.exe Token: SeSystemProfilePrivilege 2640 WMIC.exe Token: SeSystemtimePrivilege 2640 WMIC.exe Token: SeProfSingleProcessPrivilege 2640 WMIC.exe Token: SeIncBasePriorityPrivilege 2640 WMIC.exe Token: SeCreatePagefilePrivilege 2640 WMIC.exe Token: SeBackupPrivilege 2640 WMIC.exe Token: SeRestorePrivilege 2640 WMIC.exe Token: SeShutdownPrivilege 2640 WMIC.exe Token: SeDebugPrivilege 2640 WMIC.exe Token: SeSystemEnvironmentPrivilege 2640 WMIC.exe Token: SeRemoteShutdownPrivilege 2640 WMIC.exe Token: SeUndockPrivilege 2640 WMIC.exe Token: SeManageVolumePrivilege 2640 WMIC.exe Token: 33 2640 WMIC.exe Token: 34 2640 WMIC.exe Token: 35 2640 WMIC.exe Token: SeIncreaseQuotaPrivilege 2608 WMIC.exe Token: SeSecurityPrivilege 2608 WMIC.exe Token: SeTakeOwnershipPrivilege 2608 WMIC.exe Token: SeLoadDriverPrivilege 2608 WMIC.exe Token: SeSystemProfilePrivilege 2608 WMIC.exe Token: SeSystemtimePrivilege 2608 WMIC.exe Token: SeProfSingleProcessPrivilege 2608 WMIC.exe Token: SeIncBasePriorityPrivilege 2608 WMIC.exe Token: SeCreatePagefilePrivilege 2608 WMIC.exe Token: SeBackupPrivilege 2608 WMIC.exe Token: SeRestorePrivilege 2608 WMIC.exe Token: SeShutdownPrivilege 2608 WMIC.exe Token: SeDebugPrivilege 2608 WMIC.exe Token: SeSystemEnvironmentPrivilege 2608 WMIC.exe Token: SeRemoteShutdownPrivilege 2608 WMIC.exe Token: SeUndockPrivilege 2608 WMIC.exe Token: SeManageVolumePrivilege 2608 WMIC.exe Token: 33 2608 WMIC.exe Token: 34 2608 WMIC.exe Token: 35 2608 WMIC.exe Token: SeIncreaseQuotaPrivilege 2608 WMIC.exe Token: SeSecurityPrivilege 2608 WMIC.exe Token: SeTakeOwnershipPrivilege 2608 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2956 BTSOU.exe 2956 BTSOU.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2956 wrote to memory of 3068 2956 BTSOU.exe 28 PID 2956 wrote to memory of 3068 2956 BTSOU.exe 28 PID 2956 wrote to memory of 3068 2956 BTSOU.exe 28 PID 2956 wrote to memory of 3068 2956 BTSOU.exe 28 PID 3068 wrote to memory of 2640 3068 cmd.exe 30 PID 3068 wrote to memory of 2640 3068 cmd.exe 30 PID 3068 wrote to memory of 2640 3068 cmd.exe 30 PID 3068 wrote to memory of 2640 3068 cmd.exe 30 PID 2956 wrote to memory of 2332 2956 BTSOU.exe 32 PID 2956 wrote to memory of 2332 2956 BTSOU.exe 32 PID 2956 wrote to memory of 2332 2956 BTSOU.exe 32 PID 2956 wrote to memory of 2332 2956 BTSOU.exe 32 PID 2332 wrote to memory of 2608 2332 cmd.exe 34 PID 2332 wrote to memory of 2608 2332 cmd.exe 34 PID 2332 wrote to memory of 2608 2332 cmd.exe 34 PID 2332 wrote to memory of 2608 2332 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\BTSOU v23.05.08\BTSOU.exe"C:\Users\Admin\AppData\Local\Temp\BTSOU v23.05.08\BTSOU.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic diskdrive get SerialNumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get processorid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-