640c6fc0a1d5fcfc7b8485ea2eee124acb82e95ce879fe0301283abcbfb5ef69

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

640c6fc0a1d5fcfc7b8485ea2eee124acb82e95ce879fe0301283abcbfb5ef69.exe
Size

4.8MB
MD5

70bcb644a296d93a0e922ea87b461306
SHA1

87677964f0c03736844f05677de52e3ab53e2240
SHA256

640c6fc0a1d5fcfc7b8485ea2eee124acb82e95ce879fe0301283abcbfb5ef69
SHA512

8a592faa06ddff66ebab20f8c5368a5dca0ebf75a4672dbb06adb9bcda25eb95809b4899967ac0e6850c38247eee56290a9c12d1360340121cc8715a37668af3
SSDEEP

98304:6dhqCN2wunfeJx0lXzutWSb2cA6l5j5Z5Z1y/eOn4Od4chFFd57e:mhqO2lGf02qjej5fZsT4OOsd57e

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1188	is-42UFG.tmp
2404	BBuster.exe
2032	BBuster.exe

Loads dropped DLL 1 IoCs

pid	Process
1188	is-42UFG.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BBuster\is-QKQS3.tmp	is-42UFG.tmp
File opened for modification	C:\Program Files (x86)\BBuster\unins000.dat	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-STS71.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-8QM66.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Online\is-AFQL2.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Help\is-NU3I0.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\is-H2LDJ.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-0K54H.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-4UDSR.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-P3M54.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-48K8N.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-UMOBQ.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Plugins\is-GOJVA.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-FDM2P.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-6EKAT.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Plugins\is-T25DV.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Plugins\is-APL07.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-5KK3S.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-B279O.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-HAT6D.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-2DEOE.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Plugins\is-KP1HV.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\unins000.dat	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-K7983.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-K572K.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-0L411.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Online\is-IP7FN.tmp	is-42UFG.tmp
File opened for modification	C:\Program Files (x86)\BBuster\BBuster.exe	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-CT8QN.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-EB2QG.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-KA6ED.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-486L4.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-NGSVJ.tmp	is-42UFG.tmp
File created	C:\Program Files (x86)\BBuster\Lang\is-1JMHK.tmp	is-42UFG.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1188	2924	640c6fc0a1d5fcfc7b8485ea2eee124acb82e95ce879fe0301283abcbfb5ef69.exe	87
PID 2924 wrote to memory of 1188	2924	640c6fc0a1d5fcfc7b8485ea2eee124acb82e95ce879fe0301283abcbfb5ef69.exe	87
PID 2924 wrote to memory of 1188	2924	640c6fc0a1d5fcfc7b8485ea2eee124acb82e95ce879fe0301283abcbfb5ef69.exe	87
PID 1188 wrote to memory of 3740	1188	is-42UFG.tmp	92
PID 1188 wrote to memory of 3740	1188	is-42UFG.tmp	92
PID 1188 wrote to memory of 3740	1188	is-42UFG.tmp	92
PID 1188 wrote to memory of 2404	1188	is-42UFG.tmp	91
PID 1188 wrote to memory of 2404	1188	is-42UFG.tmp	91
PID 1188 wrote to memory of 2404	1188	is-42UFG.tmp	91
PID 3740 wrote to memory of 2908	3740	net.exe	94
PID 3740 wrote to memory of 2908	3740	net.exe	94
PID 3740 wrote to memory of 2908	3740	net.exe	94
PID 1188 wrote to memory of 2032	1188	is-42UFG.tmp	98
PID 1188 wrote to memory of 2032	1188	is-42UFG.tmp	98
PID 1188 wrote to memory of 2032	1188	is-42UFG.tmp	98

C:\Users\Admin\AppData\Local\Temp\640c6fc0a1d5fcfc7b8485ea2eee124acb82e95ce879fe0301283abcbfb5ef69.exe
"C:\Users\Admin\AppData\Local\Temp\640c6fc0a1d5fcfc7b8485ea2eee124acb82e95ce879fe0301283abcbfb5ef69.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\is-9AUD0.tmp\is-42UFG.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9AUD0.tmp\is-42UFG.tmp" /SL4 $A0228 "C:\Users\Admin\AppData\Local\Temp\640c6fc0a1d5fcfc7b8485ea2eee124acb82e95ce879fe0301283abcbfb5ef69.exe" 4731609 79360
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Program Files (x86)\BBuster\BBuster.exe
    "C:\Program Files (x86)\BBuster\BBuster.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2404
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 3
      4⤵
      PID:2908
- - C:\Program Files (x86)\BBuster\BBuster.exe
    "C:\Program Files (x86)\BBuster\BBuster.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BBuster\BBuster.exe

Filesize
3.7MB

MD5
6b34118b730d887ec9fb212547bccb37

SHA1
35fcc7a7f2d762b75f7c92f14c3c4a3d31c615d8

SHA256
6e353f0de50fe5c836ded024b1778b916c5dd8765857fee806e5d1f12a8ddbe3

SHA512
9707286318fcc6dd4695af76858b6dc3efcd993d398dfc92690e8d13552edf42cd48dad2cfe861d56679af8571120f27ba1a70d5db77bbd7458326f0d9f9cf6e

Download Submit
C:\Program Files (x86)\BBuster\BBuster.exe

Filesize
3.7MB

MD5
6b34118b730d887ec9fb212547bccb37

SHA1
35fcc7a7f2d762b75f7c92f14c3c4a3d31c615d8

SHA256
6e353f0de50fe5c836ded024b1778b916c5dd8765857fee806e5d1f12a8ddbe3

SHA512
9707286318fcc6dd4695af76858b6dc3efcd993d398dfc92690e8d13552edf42cd48dad2cfe861d56679af8571120f27ba1a70d5db77bbd7458326f0d9f9cf6e

Download Submit
C:\Program Files (x86)\BBuster\BBuster.exe

Filesize
3.7MB

MD5
6b34118b730d887ec9fb212547bccb37

SHA1
35fcc7a7f2d762b75f7c92f14c3c4a3d31c615d8

SHA256
6e353f0de50fe5c836ded024b1778b916c5dd8765857fee806e5d1f12a8ddbe3

SHA512
9707286318fcc6dd4695af76858b6dc3efcd993d398dfc92690e8d13552edf42cd48dad2cfe861d56679af8571120f27ba1a70d5db77bbd7458326f0d9f9cf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2ON3E.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9AUD0.tmp\is-42UFG.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9AUD0.tmp\is-42UFG.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
memory/1188-90-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1188-7-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1188-94-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2032-119-0x0000000000950000-0x00000000009F9000-memory.dmp

Filesize
676KB

Download
memory/2032-108-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-140-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-137-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-93-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-134-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-95-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-97-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-99-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-102-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-105-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-131-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-111-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-114-0x0000000000950000-0x00000000009F9000-memory.dmp

Filesize
676KB

Download
memory/2032-117-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-128-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-121-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2032-124-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2404-88-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2404-82-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2404-84-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2924-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2924-86-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download