533bc42d21e98abd33ef24cac27520b826fdcfacfa1623fc0b77dca5b85efc21

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BTSOU/BTSOU.exe
Size

828KB
MD5

ca17d9e5739b1caccf35d4669837364a
SHA1

77b77a3bea786df780fb4bca0217dc6004cc85e6
SHA256

fdae52dad1bf5af405db35d6b45411b6a70ff7e05f43df22f0d021edbafc8e5e
SHA512

336d7aab6dc0e89e5b33f378a08c73ec3e0d309339a43ff5a826c5799686996b806b3ca6744282cd940fda79acbf5df204350411db2e6827a798704737728b45
SSDEEP

12288:ZkQ9kWJRNmmquANVANgAy8R828R8SvH0:ZkMkEANVANL+D+L

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	BTSOU.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: 36	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: 36	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2252	WMIC.exe
Token: SeSecurityPrivilege	2252	WMIC.exe
Token: SeTakeOwnershipPrivilege	2252	WMIC.exe
Token: SeLoadDriverPrivilege	2252	WMIC.exe
Token: SeSystemProfilePrivilege	2252	WMIC.exe
Token: SeSystemtimePrivilege	2252	WMIC.exe
Token: SeProfSingleProcessPrivilege	2252	WMIC.exe
Token: SeIncBasePriorityPrivilege	2252	WMIC.exe
Token: SeCreatePagefilePrivilege	2252	WMIC.exe
Token: SeBackupPrivilege	2252	WMIC.exe
Token: SeRestorePrivilege	2252	WMIC.exe
Token: SeShutdownPrivilege	2252	WMIC.exe
Token: SeDebugPrivilege	2252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2252	WMIC.exe
Token: SeRemoteShutdownPrivilege	2252	WMIC.exe
Token: SeUndockPrivilege	2252	WMIC.exe
Token: SeManageVolumePrivilege	2252	WMIC.exe
Token: 33	2252	WMIC.exe
Token: 34	2252	WMIC.exe
Token: 35	2252	WMIC.exe
Token: 36	2252	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3844	BTSOU.exe
3844	BTSOU.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 2784	3844	BTSOU.exe	95
PID 3844 wrote to memory of 2784	3844	BTSOU.exe	95
PID 3844 wrote to memory of 2784	3844	BTSOU.exe	95
PID 2784 wrote to memory of 2768	2784	cmd.exe	98
PID 2784 wrote to memory of 2768	2784	cmd.exe	98
PID 2784 wrote to memory of 2768	2784	cmd.exe	98
PID 3844 wrote to memory of 4908	3844	BTSOU.exe	101
PID 3844 wrote to memory of 4908	3844	BTSOU.exe	101
PID 3844 wrote to memory of 4908	3844	BTSOU.exe	101
PID 4908 wrote to memory of 2252	4908	cmd.exe	104
PID 4908 wrote to memory of 2252	4908	cmd.exe	104
PID 4908 wrote to memory of 2252	4908	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\BTSOU\BTSOU.exe
"C:\Users\Admin\AppData\Local\Temp\BTSOU\BTSOU.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get SerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3844-0-0x00000000003A0000-0x0000000000474000-memory.dmp

Filesize
848KB

Download
memory/3844-1-0x00000000752B0000-0x0000000075A60000-memory.dmp

Filesize
7.7MB

Download
memory/3844-2-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/3844-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/3844-4-0x00000000050D0000-0x0000000005424000-memory.dmp

Filesize
3.3MB

Download
memory/3844-5-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3844-6-0x0000000004F10000-0x0000000004F1A000-memory.dmp

Filesize
40KB

Download
memory/3844-7-0x00000000752B0000-0x0000000075A60000-memory.dmp

Filesize
7.7MB

Download
memory/3844-8-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3844-9-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3844-10-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3844-11-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3844-12-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3844-13-0x0000000006690000-0x00000000067F6000-memory.dmp

Filesize
1.4MB

Download
memory/3844-14-0x00000000065C0000-0x000000000660C000-memory.dmp

Filesize
304KB

Download
memory/3844-15-0x000000000B8D0000-0x000000000B90C000-memory.dmp

Filesize
240KB

Download
memory/3844-16-0x000000000AA90000-0x000000000AAB1000-memory.dmp

Filesize
132KB

Download
memory/3844-17-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3844-18-0x000000000CE60000-0x000000000CE82000-memory.dmp

Filesize
136KB

Download
memory/3844-19-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads