Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 03:42
Static task
static1
Behavioral task
behavioral1
Sample
Bypass.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Bypass.exe
Resource
win10v2004-20240419-en
General
-
Target
Bypass.exe
-
Size
825KB
-
MD5
c50cb2d89627c4692e8f4fa4883515dc
-
SHA1
8b0f375062dad2529dcd56206418ecd80caee674
-
SHA256
dd515c6d05e63cf5055f3667b776a6a81018501e75989a4aa34951d4e0b18d7a
-
SHA512
9ffb3b04806474de58516ce26766134c7dbf40bb765d1b83a8eb13d90c021b9e349abb0e735cd6da39c71b35eebd4c65877ac134d7ea2a1ca2bb97ad4ad0ffff
-
SSDEEP
24576:K++RmSlgqgj7P3HBqvOtC58wVPCRFizYrtWrFV5v:K++YkPM4WtdwVC/JWxPv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 2484 csrss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 4 IoCs
Processes:
Bypass.exedescription ioc process File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\csrss.exe Bypass.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\886983d96e3d3e Bypass.exe File created C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe Bypass.exe File created C:\Program Files\Microsoft Office\Office14\1033\b75386f1303e64 Bypass.exe -
Drops file in Windows directory 1 IoCs
Processes:
Bypass.exedescription ioc process File created C:\Windows\servicing\it-IT\Idle.exe Bypass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Bypass.exepid process 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe 2740 Bypass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csrss.exepid process 2484 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bypass.execsrss.exedescription pid process Token: SeDebugPrivilege 2740 Bypass.exe Token: SeDebugPrivilege 2484 csrss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Bypass.execmd.exedescription pid process target process PID 2740 wrote to memory of 2760 2740 Bypass.exe cmd.exe PID 2740 wrote to memory of 2760 2740 Bypass.exe cmd.exe PID 2740 wrote to memory of 2760 2740 Bypass.exe cmd.exe PID 2760 wrote to memory of 2604 2760 cmd.exe chcp.com PID 2760 wrote to memory of 2604 2760 cmd.exe chcp.com PID 2760 wrote to memory of 2604 2760 cmd.exe chcp.com PID 2760 wrote to memory of 2660 2760 cmd.exe w32tm.exe PID 2760 wrote to memory of 2660 2760 cmd.exe w32tm.exe PID 2760 wrote to memory of 2660 2760 cmd.exe w32tm.exe PID 2760 wrote to memory of 2484 2760 cmd.exe csrss.exe PID 2760 wrote to memory of 2484 2760 cmd.exe csrss.exe PID 2760 wrote to memory of 2484 2760 cmd.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bypass.exe"C:\Users\Admin\AppData\Local\Temp\Bypass.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rEwop50RtX.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2660
-
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\csrss.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\Office14\1033\taskhost.exeFilesize
825KB
MD5c50cb2d89627c4692e8f4fa4883515dc
SHA18b0f375062dad2529dcd56206418ecd80caee674
SHA256dd515c6d05e63cf5055f3667b776a6a81018501e75989a4aa34951d4e0b18d7a
SHA5129ffb3b04806474de58516ce26766134c7dbf40bb765d1b83a8eb13d90c021b9e349abb0e735cd6da39c71b35eebd4c65877ac134d7ea2a1ca2bb97ad4ad0ffff
-
C:\Users\Admin\AppData\Local\Temp\rEwop50RtX.batFilesize
237B
MD525d6c3d669535231c55a69fe34a4b13e
SHA1e316f3d4d6b11dd2f3f3a7b1cf283d63087cac7b
SHA256a7ce2cf63406025dc303bfc042cf0b686edb16b6291b8bbc293d2b795a189993
SHA512d5cdac661ffdf98b944359cc1da96bdb1936defe545d2c75f8474087d61ca890c1f9e94a75096c5ee561264c8ee1e9de36a1d640109d96984ab23f3034c9bc91
-
memory/2484-46-0x000000001ACA0000-0x000000001AD72000-memory.dmpFilesize
840KB
-
memory/2484-45-0x0000000000300000-0x00000000003D4000-memory.dmpFilesize
848KB
-
memory/2740-16-0x0000000000310000-0x000000000031C000-memory.dmpFilesize
48KB
-
memory/2740-20-0x000000001B450000-0x000000001B4D0000-memory.dmpFilesize
512KB
-
memory/2740-7-0x00000000005B0000-0x00000000005CC000-memory.dmpFilesize
112KB
-
memory/2740-9-0x0000000000A70000-0x0000000000A88000-memory.dmpFilesize
96KB
-
memory/2740-10-0x00000000776C0000-0x00000000776C1000-memory.dmpFilesize
4KB
-
memory/2740-12-0x0000000000300000-0x000000000030E000-memory.dmpFilesize
56KB
-
memory/2740-13-0x00000000776B0000-0x00000000776B1000-memory.dmpFilesize
4KB
-
memory/2740-14-0x00000000776A0000-0x00000000776A1000-memory.dmpFilesize
4KB
-
memory/2740-0-0x0000000000E90000-0x0000000000F64000-memory.dmpFilesize
848KB
-
memory/2740-18-0x0000000000A90000-0x0000000000A9E000-memory.dmpFilesize
56KB
-
memory/2740-19-0x0000000077690000-0x0000000077691000-memory.dmpFilesize
4KB
-
memory/2740-5-0x00000000776D0000-0x00000000776D1000-memory.dmpFilesize
4KB
-
memory/2740-24-0x000000001B450000-0x000000001B4D0000-memory.dmpFilesize
512KB
-
memory/2740-26-0x000000001B450000-0x000000001B4D0000-memory.dmpFilesize
512KB
-
memory/2740-25-0x000000001B450000-0x000000001B4D0000-memory.dmpFilesize
512KB
-
memory/2740-4-0x000000001B450000-0x000000001B4D0000-memory.dmpFilesize
512KB
-
memory/2740-40-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmpFilesize
9.9MB
-
memory/2740-39-0x0000000077900000-0x0000000077AA9000-memory.dmpFilesize
1.7MB
-
memory/2740-3-0x0000000077900000-0x0000000077AA9000-memory.dmpFilesize
1.7MB
-
memory/2740-2-0x0000000000DC0000-0x0000000000E92000-memory.dmpFilesize
840KB
-
memory/2740-1-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmpFilesize
9.9MB