Analysis
-
max time kernel
125s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
26-10-2023 15:49
Behavioral task
behavioral1
Sample
454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe
Resource
win10-20231023-en
Behavioral task
behavioral2
Sample
90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe
Resource
win10-20231020-en
Behavioral task
behavioral3
Sample
9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.exe
Resource
win10-20231023-en
General
-
Target
454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe
-
Size
615KB
-
MD5
dbf727e1effc3631ae634d95a0d88bf3
-
SHA1
c02d2a18eca78b91b4c4e9e7a45c8d17c8c5bbca
-
SHA256
454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79
-
SHA512
24e0da5f90659aa21038e7728169b014a9ca897aaefe2140b75b680955ddd9de74dc320948c4cc743ccbf27f3713879e21a7e5c23f54c32cc0f8ae790cb9fc68
-
SSDEEP
12288:8yqE9N0R/YPT7arwRhacn1J0zxzWnMZfgspsa:nlERAP6sRh/1UxiApZ
Malware Config
Extracted
bunnyloader
http://37.139.129.145/Bunny/StealerLogs/BunnyLogs_
Signatures
-
BunnyLoader
BunnyLoader is a loader family written in C++.
-
Processes:
resource yara_rule behavioral1/memory/1152-0-0x0000000000D20000-0x0000000000E98000-memory.dmp upx behavioral1/memory/1152-3-0x0000000000D20000-0x0000000000E98000-memory.dmp upx behavioral1/memory/1152-5-0x0000000000D20000-0x0000000000E98000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows\CurrentVersion\Run\Spyware_Blocker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe" 454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org 3 ip-api.com -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4760 WMIC.exe Token: SeSecurityPrivilege 4760 WMIC.exe Token: SeTakeOwnershipPrivilege 4760 WMIC.exe Token: SeLoadDriverPrivilege 4760 WMIC.exe Token: SeSystemProfilePrivilege 4760 WMIC.exe Token: SeSystemtimePrivilege 4760 WMIC.exe Token: SeProfSingleProcessPrivilege 4760 WMIC.exe Token: SeIncBasePriorityPrivilege 4760 WMIC.exe Token: SeCreatePagefilePrivilege 4760 WMIC.exe Token: SeBackupPrivilege 4760 WMIC.exe Token: SeRestorePrivilege 4760 WMIC.exe Token: SeShutdownPrivilege 4760 WMIC.exe Token: SeDebugPrivilege 4760 WMIC.exe Token: SeSystemEnvironmentPrivilege 4760 WMIC.exe Token: SeRemoteShutdownPrivilege 4760 WMIC.exe Token: SeUndockPrivilege 4760 WMIC.exe Token: SeManageVolumePrivilege 4760 WMIC.exe Token: 33 4760 WMIC.exe Token: 34 4760 WMIC.exe Token: 35 4760 WMIC.exe Token: 36 4760 WMIC.exe Token: SeIncreaseQuotaPrivilege 4760 WMIC.exe Token: SeSecurityPrivilege 4760 WMIC.exe Token: SeTakeOwnershipPrivilege 4760 WMIC.exe Token: SeLoadDriverPrivilege 4760 WMIC.exe Token: SeSystemProfilePrivilege 4760 WMIC.exe Token: SeSystemtimePrivilege 4760 WMIC.exe Token: SeProfSingleProcessPrivilege 4760 WMIC.exe Token: SeIncBasePriorityPrivilege 4760 WMIC.exe Token: SeCreatePagefilePrivilege 4760 WMIC.exe Token: SeBackupPrivilege 4760 WMIC.exe Token: SeRestorePrivilege 4760 WMIC.exe Token: SeShutdownPrivilege 4760 WMIC.exe Token: SeDebugPrivilege 4760 WMIC.exe Token: SeSystemEnvironmentPrivilege 4760 WMIC.exe Token: SeRemoteShutdownPrivilege 4760 WMIC.exe Token: SeUndockPrivilege 4760 WMIC.exe Token: SeManageVolumePrivilege 4760 WMIC.exe Token: 33 4760 WMIC.exe Token: 34 4760 WMIC.exe Token: 35 4760 WMIC.exe Token: 36 4760 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.execmd.execmd.exedescription pid process target process PID 1152 wrote to memory of 2904 1152 454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe cmd.exe PID 1152 wrote to memory of 2904 1152 454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe cmd.exe PID 1152 wrote to memory of 2904 1152 454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe cmd.exe PID 2904 wrote to memory of 4760 2904 cmd.exe WMIC.exe PID 2904 wrote to memory of 4760 2904 cmd.exe WMIC.exe PID 2904 wrote to memory of 4760 2904 cmd.exe WMIC.exe PID 1152 wrote to memory of 3052 1152 454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe cmd.exe PID 1152 wrote to memory of 3052 1152 454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe cmd.exe PID 1152 wrote to memory of 3052 1152 454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe cmd.exe PID 3052 wrote to memory of 2476 3052 cmd.exe systeminfo.exe PID 3052 wrote to memory of 2476 3052 cmd.exe systeminfo.exe PID 3052 wrote to memory of 2476 3052 cmd.exe systeminfo.exe PID 3052 wrote to memory of 1092 3052 cmd.exe findstr.exe PID 3052 wrote to memory of 1092 3052 cmd.exe findstr.exe PID 3052 wrote to memory of 1092 3052 cmd.exe findstr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe"C:\Users\Admin\AppData\Local\Temp\454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value2⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo | findstr /B /C:"OS Name"2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:2476 -
C:\Windows\SysWOW64\findstr.exefindstr /B /C:"OS Name"3⤵PID:1092