Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
26-10-2023 15:49
Behavioral task
behavioral1
Sample
454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe
Resource
win10-20231023-en
Behavioral task
behavioral2
Sample
90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe
Resource
win10-20231020-en
Behavioral task
behavioral3
Sample
9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.exe
Resource
win10-20231023-en
General
-
Target
90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe
-
Size
1.4MB
-
MD5
bbf53c2f20ac95a3bc18ea7575f2344b
-
SHA1
059d27dbb4777ed1f17b2aa42c0e7c19ad29b304
-
SHA256
90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69
-
SHA512
1c4816500494015896d5b8d1b0b596d066ebcede33a7f1c8db4ed2708e2cd25c764860f8466d4662b4a402637e5085852fc0dc89f3c6dcd765f22f862ba45368
-
SSDEEP
24576:H5khuFAeSwW1LS8s2tsiODbdGcE/61SHyV8UuThAbJfm9j+XcK8VodAeLJhUM8YJ:cuZW1LS8s2tsdDbC9SKdincKuodAeMMf
Malware Config
Extracted
bunnyloader
http://37.139.129.145/Bunny/StealerLogs/BunnyLogs_
Signatures
-
BunnyLoader
BunnyLoader is a loader family written in C++.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Spyware_Blocker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe" 90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org 4 ip-api.com -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 760 WMIC.exe Token: SeSecurityPrivilege 760 WMIC.exe Token: SeTakeOwnershipPrivilege 760 WMIC.exe Token: SeLoadDriverPrivilege 760 WMIC.exe Token: SeSystemProfilePrivilege 760 WMIC.exe Token: SeSystemtimePrivilege 760 WMIC.exe Token: SeProfSingleProcessPrivilege 760 WMIC.exe Token: SeIncBasePriorityPrivilege 760 WMIC.exe Token: SeCreatePagefilePrivilege 760 WMIC.exe Token: SeBackupPrivilege 760 WMIC.exe Token: SeRestorePrivilege 760 WMIC.exe Token: SeShutdownPrivilege 760 WMIC.exe Token: SeDebugPrivilege 760 WMIC.exe Token: SeSystemEnvironmentPrivilege 760 WMIC.exe Token: SeRemoteShutdownPrivilege 760 WMIC.exe Token: SeUndockPrivilege 760 WMIC.exe Token: SeManageVolumePrivilege 760 WMIC.exe Token: 33 760 WMIC.exe Token: 34 760 WMIC.exe Token: 35 760 WMIC.exe Token: 36 760 WMIC.exe Token: SeIncreaseQuotaPrivilege 760 WMIC.exe Token: SeSecurityPrivilege 760 WMIC.exe Token: SeTakeOwnershipPrivilege 760 WMIC.exe Token: SeLoadDriverPrivilege 760 WMIC.exe Token: SeSystemProfilePrivilege 760 WMIC.exe Token: SeSystemtimePrivilege 760 WMIC.exe Token: SeProfSingleProcessPrivilege 760 WMIC.exe Token: SeIncBasePriorityPrivilege 760 WMIC.exe Token: SeCreatePagefilePrivilege 760 WMIC.exe Token: SeBackupPrivilege 760 WMIC.exe Token: SeRestorePrivilege 760 WMIC.exe Token: SeShutdownPrivilege 760 WMIC.exe Token: SeDebugPrivilege 760 WMIC.exe Token: SeSystemEnvironmentPrivilege 760 WMIC.exe Token: SeRemoteShutdownPrivilege 760 WMIC.exe Token: SeUndockPrivilege 760 WMIC.exe Token: SeManageVolumePrivilege 760 WMIC.exe Token: 33 760 WMIC.exe Token: 34 760 WMIC.exe Token: 35 760 WMIC.exe Token: 36 760 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.execmd.execmd.exedescription pid process target process PID 4180 wrote to memory of 512 4180 90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe cmd.exe PID 4180 wrote to memory of 512 4180 90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe cmd.exe PID 4180 wrote to memory of 512 4180 90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe cmd.exe PID 512 wrote to memory of 760 512 cmd.exe WMIC.exe PID 512 wrote to memory of 760 512 cmd.exe WMIC.exe PID 512 wrote to memory of 760 512 cmd.exe WMIC.exe PID 4180 wrote to memory of 2104 4180 90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe cmd.exe PID 4180 wrote to memory of 2104 4180 90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe cmd.exe PID 4180 wrote to memory of 2104 4180 90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe cmd.exe PID 2104 wrote to memory of 2128 2104 cmd.exe systeminfo.exe PID 2104 wrote to memory of 2128 2104 cmd.exe systeminfo.exe PID 2104 wrote to memory of 2128 2104 cmd.exe systeminfo.exe PID 2104 wrote to memory of 4128 2104 cmd.exe findstr.exe PID 2104 wrote to memory of 4128 2104 cmd.exe findstr.exe PID 2104 wrote to memory of 4128 2104 cmd.exe findstr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe"C:\Users\Admin\AppData\Local\Temp\90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value2⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo | findstr /B /C:"OS Name"2⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:2128 -
C:\Windows\SysWOW64\findstr.exefindstr /B /C:"OS Name"3⤵PID:4128