a096e03201e23b41f6095ed391031d74540ac1043c62422859e9bcb69e4cebde

Analysis

max time kernel
139s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BTSOU v23.05.08/BTSOU.exe
Size

828KB
MD5

ca17d9e5739b1caccf35d4669837364a
SHA1

77b77a3bea786df780fb4bca0217dc6004cc85e6
SHA256

fdae52dad1bf5af405db35d6b45411b6a70ff7e05f43df22f0d021edbafc8e5e
SHA512

336d7aab6dc0e89e5b33f378a08c73ec3e0d309339a43ff5a826c5799686996b806b3ca6744282cd940fda79acbf5df204350411db2e6827a798704737728b45
SSDEEP

12288:ZkQ9kWJRNmmquANVANgAy8R828R8SvH0:ZkMkEANVANL+D+L

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	BTSOU.exe
Token: SeIncreaseQuotaPrivilege	3524	WMIC.exe
Token: SeSecurityPrivilege	3524	WMIC.exe
Token: SeTakeOwnershipPrivilege	3524	WMIC.exe
Token: SeLoadDriverPrivilege	3524	WMIC.exe
Token: SeSystemProfilePrivilege	3524	WMIC.exe
Token: SeSystemtimePrivilege	3524	WMIC.exe
Token: SeProfSingleProcessPrivilege	3524	WMIC.exe
Token: SeIncBasePriorityPrivilege	3524	WMIC.exe
Token: SeCreatePagefilePrivilege	3524	WMIC.exe
Token: SeBackupPrivilege	3524	WMIC.exe
Token: SeRestorePrivilege	3524	WMIC.exe
Token: SeShutdownPrivilege	3524	WMIC.exe
Token: SeDebugPrivilege	3524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3524	WMIC.exe
Token: SeRemoteShutdownPrivilege	3524	WMIC.exe
Token: SeUndockPrivilege	3524	WMIC.exe
Token: SeManageVolumePrivilege	3524	WMIC.exe
Token: 33	3524	WMIC.exe
Token: 34	3524	WMIC.exe
Token: 35	3524	WMIC.exe
Token: 36	3524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3524	WMIC.exe
Token: SeSecurityPrivilege	3524	WMIC.exe
Token: SeTakeOwnershipPrivilege	3524	WMIC.exe
Token: SeLoadDriverPrivilege	3524	WMIC.exe
Token: SeSystemProfilePrivilege	3524	WMIC.exe
Token: SeSystemtimePrivilege	3524	WMIC.exe
Token: SeProfSingleProcessPrivilege	3524	WMIC.exe
Token: SeIncBasePriorityPrivilege	3524	WMIC.exe
Token: SeCreatePagefilePrivilege	3524	WMIC.exe
Token: SeBackupPrivilege	3524	WMIC.exe
Token: SeRestorePrivilege	3524	WMIC.exe
Token: SeShutdownPrivilege	3524	WMIC.exe
Token: SeDebugPrivilege	3524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3524	WMIC.exe
Token: SeRemoteShutdownPrivilege	3524	WMIC.exe
Token: SeUndockPrivilege	3524	WMIC.exe
Token: SeManageVolumePrivilege	3524	WMIC.exe
Token: 33	3524	WMIC.exe
Token: 34	3524	WMIC.exe
Token: 35	3524	WMIC.exe
Token: 36	3524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4152	WMIC.exe
Token: SeSecurityPrivilege	4152	WMIC.exe
Token: SeTakeOwnershipPrivilege	4152	WMIC.exe
Token: SeLoadDriverPrivilege	4152	WMIC.exe
Token: SeSystemProfilePrivilege	4152	WMIC.exe
Token: SeSystemtimePrivilege	4152	WMIC.exe
Token: SeProfSingleProcessPrivilege	4152	WMIC.exe
Token: SeIncBasePriorityPrivilege	4152	WMIC.exe
Token: SeCreatePagefilePrivilege	4152	WMIC.exe
Token: SeBackupPrivilege	4152	WMIC.exe
Token: SeRestorePrivilege	4152	WMIC.exe
Token: SeShutdownPrivilege	4152	WMIC.exe
Token: SeDebugPrivilege	4152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4152	WMIC.exe
Token: SeRemoteShutdownPrivilege	4152	WMIC.exe
Token: SeUndockPrivilege	4152	WMIC.exe
Token: SeManageVolumePrivilege	4152	WMIC.exe
Token: 33	4152	WMIC.exe
Token: 34	4152	WMIC.exe
Token: 35	4152	WMIC.exe
Token: 36	4152	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3024	BTSOU.exe
3024	BTSOU.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1532	3024	BTSOU.exe	83
PID 3024 wrote to memory of 1532	3024	BTSOU.exe	83
PID 3024 wrote to memory of 1532	3024	BTSOU.exe	83
PID 1532 wrote to memory of 3524	1532	cmd.exe	85
PID 1532 wrote to memory of 3524	1532	cmd.exe	85
PID 1532 wrote to memory of 3524	1532	cmd.exe	85
PID 3024 wrote to memory of 4768	3024	BTSOU.exe	87
PID 3024 wrote to memory of 4768	3024	BTSOU.exe	87
PID 3024 wrote to memory of 4768	3024	BTSOU.exe	87
PID 4768 wrote to memory of 4152	4768	cmd.exe	89
PID 4768 wrote to memory of 4152	4768	cmd.exe	89
PID 4768 wrote to memory of 4152	4768	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\BTSOU v23.05.08\BTSOU.exe
"C:\Users\Admin\AppData\Local\Temp\BTSOU v23.05.08\BTSOU.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get SerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3024-0-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/3024-1-0x00000000007E0000-0x00000000008B4000-memory.dmp

Filesize
848KB

Download
memory/3024-2-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/3024-3-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/3024-4-0x00000000053A0000-0x00000000056F4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-5-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3024-6-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/3024-7-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3024-8-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3024-9-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/3024-10-0x000000000C030000-0x000000000C196000-memory.dmp

Filesize
1.4MB

Download
memory/3024-11-0x000000000BD30000-0x000000000BD7C000-memory.dmp

Filesize
304KB

Download
memory/3024-12-0x000000000BDC0000-0x000000000BDFC000-memory.dmp

Filesize
240KB

Download
memory/3024-13-0x000000000BD90000-0x000000000BDB1000-memory.dmp

Filesize
132KB

Download
memory/3024-14-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3024-15-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3024-16-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3024-17-0x000000000AD10000-0x000000000AD32000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads