Analysis
-
max time kernel
126s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
26-10-2023 15:49
Behavioral task
behavioral1
Sample
454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79.exe
Resource
win10-20231023-en
Behavioral task
behavioral2
Sample
90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69.exe
Resource
win10-20231020-en
Behavioral task
behavioral3
Sample
9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.exe
Resource
win10-20231023-en
General
-
Target
9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.exe
-
Size
612KB
-
MD5
59ac3eacd67228850d5478fd3f18df78
-
SHA1
cdc11d2244321b850fad88a92e704a8ce2255ca7
-
SHA256
9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f
-
SHA512
4ec98c66f90254ba51daf9211ac18429329dd65d12a02ba1e6a59a3bfb36ca1e8cfb60e8c9219d72511b7c33f9b9786b2c421953e98bd9055a76b5eb43d9890f
-
SSDEEP
12288:tZ2eNScaljS/F419WCntAWjVX5ykOKytwz07JK88AMFjYSFPAZ:L2eNSc4wERntjVJxOK1z078sEVlO
Malware Config
Extracted
bunnyloader
http://localhost/Bunny/StealerLogs/BunnyLogs_
Signatures
-
BunnyLoader
BunnyLoader is a loader family written in C++.
-
Processes:
resource yara_rule behavioral3/memory/436-0-0x0000000000BF0000-0x0000000000D67000-memory.dmp upx behavioral3/memory/436-1-0x0000000000BF0000-0x0000000000D67000-memory.dmp upx behavioral3/memory/436-3-0x0000000000BF0000-0x0000000000D67000-memory.dmp upx -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org 3 ip-api.com -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 708 WMIC.exe Token: SeSecurityPrivilege 708 WMIC.exe Token: SeTakeOwnershipPrivilege 708 WMIC.exe Token: SeLoadDriverPrivilege 708 WMIC.exe Token: SeSystemProfilePrivilege 708 WMIC.exe Token: SeSystemtimePrivilege 708 WMIC.exe Token: SeProfSingleProcessPrivilege 708 WMIC.exe Token: SeIncBasePriorityPrivilege 708 WMIC.exe Token: SeCreatePagefilePrivilege 708 WMIC.exe Token: SeBackupPrivilege 708 WMIC.exe Token: SeRestorePrivilege 708 WMIC.exe Token: SeShutdownPrivilege 708 WMIC.exe Token: SeDebugPrivilege 708 WMIC.exe Token: SeSystemEnvironmentPrivilege 708 WMIC.exe Token: SeRemoteShutdownPrivilege 708 WMIC.exe Token: SeUndockPrivilege 708 WMIC.exe Token: SeManageVolumePrivilege 708 WMIC.exe Token: 33 708 WMIC.exe Token: 34 708 WMIC.exe Token: 35 708 WMIC.exe Token: 36 708 WMIC.exe Token: SeIncreaseQuotaPrivilege 708 WMIC.exe Token: SeSecurityPrivilege 708 WMIC.exe Token: SeTakeOwnershipPrivilege 708 WMIC.exe Token: SeLoadDriverPrivilege 708 WMIC.exe Token: SeSystemProfilePrivilege 708 WMIC.exe Token: SeSystemtimePrivilege 708 WMIC.exe Token: SeProfSingleProcessPrivilege 708 WMIC.exe Token: SeIncBasePriorityPrivilege 708 WMIC.exe Token: SeCreatePagefilePrivilege 708 WMIC.exe Token: SeBackupPrivilege 708 WMIC.exe Token: SeRestorePrivilege 708 WMIC.exe Token: SeShutdownPrivilege 708 WMIC.exe Token: SeDebugPrivilege 708 WMIC.exe Token: SeSystemEnvironmentPrivilege 708 WMIC.exe Token: SeRemoteShutdownPrivilege 708 WMIC.exe Token: SeUndockPrivilege 708 WMIC.exe Token: SeManageVolumePrivilege 708 WMIC.exe Token: 33 708 WMIC.exe Token: 34 708 WMIC.exe Token: 35 708 WMIC.exe Token: 36 708 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.execmd.exedescription pid process target process PID 436 wrote to memory of 3424 436 9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.exe cmd.exe PID 436 wrote to memory of 3424 436 9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.exe cmd.exe PID 436 wrote to memory of 3424 436 9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.exe cmd.exe PID 3424 wrote to memory of 708 3424 cmd.exe WMIC.exe PID 3424 wrote to memory of 708 3424 cmd.exe WMIC.exe PID 3424 wrote to memory of 708 3424 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.exe"C:\Users\Admin\AppData\Local\Temp\9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value2⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:708