38add4e0067a3d4272bde6ad242cf94fea968a7a40efb292620ee79500825762

Analysis

max time kernel
19s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
09/03/2024, 16:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bypass.exe
Size

5.3MB
MD5

9a1241f2d323596fbeef668ca803ef45
SHA1

4eb0a84553c2d79f833ac101f2ffd83c095b3cd0
SHA256

38add4e0067a3d4272bde6ad242cf94fea968a7a40efb292620ee79500825762
SHA512

52d76452b9270e2f038750a22459b284ab1e1e6462be799c66038af5e8ac8876c3abf6d7bde30c0d906f88dc4039a8808c30ac0ede5fcfcbf4eea93bb1805431
SSDEEP

98304:UlmqNU4zHQktlw2Kce0t+JhVWn2xxjsS9cIBXIzsQbpjtN:ULp3tlKXjXWnAf7BXIzp

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
116	bypass.exe
116	bypass.exe
116	bypass.exe
116	bypass.exe
116	bypass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	116	bypass.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 116	2008	bypass.exe	88
PID 2008 wrote to memory of 116	2008	bypass.exe	88
PID 116 wrote to memory of 1548	116	bypass.exe	89
PID 116 wrote to memory of 1548	116	bypass.exe	89
PID 116 wrote to memory of 4472	116	bypass.exe	100
PID 116 wrote to memory of 4472	116	bypass.exe	100
PID 116 wrote to memory of 3064	116	bypass.exe	101
PID 116 wrote to memory of 3064	116	bypass.exe	101
PID 116 wrote to memory of 3712	116	bypass.exe	102
PID 116 wrote to memory of 3712	116	bypass.exe	102
PID 116 wrote to memory of 4136	116	bypass.exe	103
PID 116 wrote to memory of 4136	116	bypass.exe	103
PID 116 wrote to memory of 1384	116	bypass.exe	104
PID 116 wrote to memory of 1384	116	bypass.exe	104
PID 116 wrote to memory of 2212	116	bypass.exe	105
PID 116 wrote to memory of 2212	116	bypass.exe	105
PID 116 wrote to memory of 2760	116	bypass.exe	106
PID 116 wrote to memory of 2760	116	bypass.exe	106
PID 116 wrote to memory of 1008	116	bypass.exe	107
PID 116 wrote to memory of 1008	116	bypass.exe	107
PID 116 wrote to memory of 916	116	bypass.exe	108
PID 116 wrote to memory of 916	116	bypass.exe	108
PID 116 wrote to memory of 2972	116	bypass.exe	109
PID 116 wrote to memory of 2972	116	bypass.exe	109
PID 116 wrote to memory of 4984	116	bypass.exe	110
PID 116 wrote to memory of 4984	116	bypass.exe	110
PID 116 wrote to memory of 3916	116	bypass.exe	111
PID 116 wrote to memory of 3916	116	bypass.exe	111
PID 116 wrote to memory of 4140	116	bypass.exe	112
PID 116 wrote to memory of 4140	116	bypass.exe	112
PID 116 wrote to memory of 3632	116	bypass.exe	113
PID 116 wrote to memory of 3632	116	bypass.exe	113

C:\Users\Admin\AppData\Local\Temp\bypass.exe
"C:\Users\Admin\AppData\Local\Temp\bypass.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\bypass.exe
  "C:\Users\Admin\AppData\Local\Temp\bypass.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del c:\windows\logs\cbs\*.log /s /q
    3⤵
    PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\CrashDumps /s /q
    3⤵
    PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\Logs\MoSetup\*.log /s /q
    3⤵
    PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\Panther\*.log /s /q
    3⤵
    PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\inf\*.log /s /q
    3⤵
    PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\logs\*.log /s /q
    3⤵
    PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SoftwareDistribution\*.log /s /q
    3⤵
    PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\Microsoft.NET\*.log /s /q
    3⤵
    PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\*.log /s /q
    3⤵
    PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\*.log /s /q
    3⤵
    PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\*.tmp /s /q
    3⤵
    PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Microsoft\Terminal Server Client\Cache\*.bin /s /q
    3⤵
    PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache /s /q
    3⤵
    PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI20082\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20082\_bz2.pyd

Filesize
87KB

MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20082\_lzma.pyd

Filesize
251KB

MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20082\base_library.zip

Filesize
994KB

MD5
2cbfdd9d140cfec033b87be369551ee3

SHA1
42bbc444691715d56d62cecae6373314d05a267c

SHA256
414f685d9b0ba655e61210cc9f4241829ee3f7a0342762b111d5743a913527eb

SHA512
840936a495a800f5ff32ab66f55c6773aa530fc919a3dfa624b2a04661770e53ff90fcf38dcaccc1341ed847a7ab658c04994fda3309b9f92d100a9fbb7beeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20082\python37.dll

Filesize
192KB

MD5
a90544ca74c7c3d913188a72308a7785

SHA1
983bf337ed593f2600b9885516abe8c56b4eb05a

SHA256
4b0e670b44b7788a184f2aaf41f6e290e22f514cefaf97f38383dd6f751bdef3

SHA512
46e4243472e9fbe1b11f02810a0d5be7a9eb2ec67b8b8bcac5ef7dd45f3534c0a98f0f309d36137d739bef07ce6390f3c60a099eb3c96256fdbb3b41f406c66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20082\python37.dll

Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20082\ucrtbase.dll

Filesize
580KB

MD5
408993a0d9c39020375b28f7ce1dade8

SHA1
b737d8b4470ca4c0a6bcceb34c9e68d1851dd3a5

SHA256
ec0e4338dbdfdee8f9dec7a9232da8e9585570b0ce1cb993a432d4746d0d329b

SHA512
a8fca2f16c272e0036d25e012bb981c9236ee919100e502c5711525a9c4ad006b2a612d97c82cf5dab5a880bd1ff304ebd4c0f83c58fe51a478ce1bb2fb2d744

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20082\ucrtbase.dll

Filesize
192KB

MD5
d14984710087607f2f90fcda31f9f6d0

SHA1
221926edfb287b98e7970ef5faae64d078c5368d

SHA256
3446244b6e62ecdcbab1193748908481bef3bcada92b0f5d745ba2fdfa813f3b

SHA512
d89898b6577393963a5f7a55f29811e940a31c143291000802e2bb7ed67d8ddfde548d220ffe3dd005484f3d35ad67f5cd14c0d060aab1d8d90bf6790f0c7d49

Download Submit