Analysis
-
max time kernel
139s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2023, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
BTSOU v23.05.08/BTSOU.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
BTSOU v23.05.08/BTSOU.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
BTSOU v23.05.08/Interop.ThunderAgentLib.dll
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
BTSOU v23.05.08/Interop.ThunderAgentLib.dll
Resource
win10v2004-20230915-en
Behavioral task
behavioral5
Sample
BTSOU v23.05.08/MySql.Data.dll
Resource
win7-20230831-en
Behavioral task
behavioral6
Sample
BTSOU v23.05.08/MySql.Data.dll
Resource
win10v2004-20230915-en
General
-
Target
BTSOU v23.05.08/BTSOU.exe
-
Size
828KB
-
MD5
ca17d9e5739b1caccf35d4669837364a
-
SHA1
77b77a3bea786df780fb4bca0217dc6004cc85e6
-
SHA256
fdae52dad1bf5af405db35d6b45411b6a70ff7e05f43df22f0d021edbafc8e5e
-
SHA512
336d7aab6dc0e89e5b33f378a08c73ec3e0d309339a43ff5a826c5799686996b806b3ca6744282cd940fda79acbf5df204350411db2e6827a798704737728b45
-
SSDEEP
12288:ZkQ9kWJRNmmquANVANgAy8R828R8SvH0:ZkMkEANVANL+D+L
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3024 BTSOU.exe Token: SeIncreaseQuotaPrivilege 3524 WMIC.exe Token: SeSecurityPrivilege 3524 WMIC.exe Token: SeTakeOwnershipPrivilege 3524 WMIC.exe Token: SeLoadDriverPrivilege 3524 WMIC.exe Token: SeSystemProfilePrivilege 3524 WMIC.exe Token: SeSystemtimePrivilege 3524 WMIC.exe Token: SeProfSingleProcessPrivilege 3524 WMIC.exe Token: SeIncBasePriorityPrivilege 3524 WMIC.exe Token: SeCreatePagefilePrivilege 3524 WMIC.exe Token: SeBackupPrivilege 3524 WMIC.exe Token: SeRestorePrivilege 3524 WMIC.exe Token: SeShutdownPrivilege 3524 WMIC.exe Token: SeDebugPrivilege 3524 WMIC.exe Token: SeSystemEnvironmentPrivilege 3524 WMIC.exe Token: SeRemoteShutdownPrivilege 3524 WMIC.exe Token: SeUndockPrivilege 3524 WMIC.exe Token: SeManageVolumePrivilege 3524 WMIC.exe Token: 33 3524 WMIC.exe Token: 34 3524 WMIC.exe Token: 35 3524 WMIC.exe Token: 36 3524 WMIC.exe Token: SeIncreaseQuotaPrivilege 3524 WMIC.exe Token: SeSecurityPrivilege 3524 WMIC.exe Token: SeTakeOwnershipPrivilege 3524 WMIC.exe Token: SeLoadDriverPrivilege 3524 WMIC.exe Token: SeSystemProfilePrivilege 3524 WMIC.exe Token: SeSystemtimePrivilege 3524 WMIC.exe Token: SeProfSingleProcessPrivilege 3524 WMIC.exe Token: SeIncBasePriorityPrivilege 3524 WMIC.exe Token: SeCreatePagefilePrivilege 3524 WMIC.exe Token: SeBackupPrivilege 3524 WMIC.exe Token: SeRestorePrivilege 3524 WMIC.exe Token: SeShutdownPrivilege 3524 WMIC.exe Token: SeDebugPrivilege 3524 WMIC.exe Token: SeSystemEnvironmentPrivilege 3524 WMIC.exe Token: SeRemoteShutdownPrivilege 3524 WMIC.exe Token: SeUndockPrivilege 3524 WMIC.exe Token: SeManageVolumePrivilege 3524 WMIC.exe Token: 33 3524 WMIC.exe Token: 34 3524 WMIC.exe Token: 35 3524 WMIC.exe Token: 36 3524 WMIC.exe Token: SeIncreaseQuotaPrivilege 4152 WMIC.exe Token: SeSecurityPrivilege 4152 WMIC.exe Token: SeTakeOwnershipPrivilege 4152 WMIC.exe Token: SeLoadDriverPrivilege 4152 WMIC.exe Token: SeSystemProfilePrivilege 4152 WMIC.exe Token: SeSystemtimePrivilege 4152 WMIC.exe Token: SeProfSingleProcessPrivilege 4152 WMIC.exe Token: SeIncBasePriorityPrivilege 4152 WMIC.exe Token: SeCreatePagefilePrivilege 4152 WMIC.exe Token: SeBackupPrivilege 4152 WMIC.exe Token: SeRestorePrivilege 4152 WMIC.exe Token: SeShutdownPrivilege 4152 WMIC.exe Token: SeDebugPrivilege 4152 WMIC.exe Token: SeSystemEnvironmentPrivilege 4152 WMIC.exe Token: SeRemoteShutdownPrivilege 4152 WMIC.exe Token: SeUndockPrivilege 4152 WMIC.exe Token: SeManageVolumePrivilege 4152 WMIC.exe Token: 33 4152 WMIC.exe Token: 34 4152 WMIC.exe Token: 35 4152 WMIC.exe Token: 36 4152 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3024 BTSOU.exe 3024 BTSOU.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3024 wrote to memory of 1532 3024 BTSOU.exe 83 PID 3024 wrote to memory of 1532 3024 BTSOU.exe 83 PID 3024 wrote to memory of 1532 3024 BTSOU.exe 83 PID 1532 wrote to memory of 3524 1532 cmd.exe 85 PID 1532 wrote to memory of 3524 1532 cmd.exe 85 PID 1532 wrote to memory of 3524 1532 cmd.exe 85 PID 3024 wrote to memory of 4768 3024 BTSOU.exe 87 PID 3024 wrote to memory of 4768 3024 BTSOU.exe 87 PID 3024 wrote to memory of 4768 3024 BTSOU.exe 87 PID 4768 wrote to memory of 4152 4768 cmd.exe 89 PID 4768 wrote to memory of 4152 4768 cmd.exe 89 PID 4768 wrote to memory of 4152 4768 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\BTSOU v23.05.08\BTSOU.exe"C:\Users\Admin\AppData\Local\Temp\BTSOU v23.05.08\BTSOU.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic diskdrive get SerialNumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get processorid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-