dd515c6d05e63cf5055f3667b776a6a81018501e75989a4aa34951d4e0b18d7a

General

Target

Bypass.exe
Size

825KB
MD5

c50cb2d89627c4692e8f4fa4883515dc
SHA1

8b0f375062dad2529dcd56206418ecd80caee674
SHA256

dd515c6d05e63cf5055f3667b776a6a81018501e75989a4aa34951d4e0b18d7a
SHA512

9ffb3b04806474de58516ce26766134c7dbf40bb765d1b83a8eb13d90c021b9e349abb0e735cd6da39c71b35eebd4c65877ac134d7ea2a1ca2bb97ad4ad0ffff
SSDEEP

24576:K++RmSlgqgj7P3HBqvOtC58wVPCRFizYrtWrFV5v:K++YkPM4WtdwVC/JWxPv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

2484 csrss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2484	csrss.exe

Drops file in Program Files directory 4 IoCs

Processes:

Bypass.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\csrss.exe	Bypass.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\886983d96e3d3e	Bypass.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe	Bypass.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\b75386f1303e64	Bypass.exe

Drops file in Windows directory 1 IoCs

Processes:

Bypass.exe

description ioc process

File created C:\Windows\servicing\it-IT\Idle.exe Bypass.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\servicing\it-IT\Idle.exe	Bypass.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Bypass.exe

pid	process
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe
2740	Bypass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid process

2484 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Bypass.execsrss.exe

description pid process

Token: SeDebugPrivilege 2740 Bypass.exe
Token: SeDebugPrivilege 2484 csrss.exe

pid	process
2484	csrss.exe

description	pid	process
Token: SeDebugPrivilege	2740	Bypass.exe
Token: SeDebugPrivilege	2484	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Bypass.execmd.exe

description	pid	process	target process
PID 2740 wrote to memory of 2760	2740	Bypass.exe	cmd.exe
PID 2740 wrote to memory of 2760	2740	Bypass.exe	cmd.exe
PID 2740 wrote to memory of 2760	2740	Bypass.exe	cmd.exe
PID 2760 wrote to memory of 2604	2760	cmd.exe	chcp.com
PID 2760 wrote to memory of 2604	2760	cmd.exe	chcp.com
PID 2760 wrote to memory of 2604	2760	cmd.exe	chcp.com
PID 2760 wrote to memory of 2660	2760	cmd.exe	w32tm.exe
PID 2760 wrote to memory of 2660	2760	cmd.exe	w32tm.exe
PID 2760 wrote to memory of 2660	2760	cmd.exe	w32tm.exe
PID 2760 wrote to memory of 2484	2760	cmd.exe	csrss.exe
PID 2760 wrote to memory of 2484	2760	cmd.exe	csrss.exe
PID 2760 wrote to memory of 2484	2760	cmd.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\Bypass.exe
"C:\Users\Admin\AppData\Local\Temp\Bypass.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rEwop50RtX.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2604

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2660

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\csrss.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\csrss.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe
Filesize
825KB

MD5
c50cb2d89627c4692e8f4fa4883515dc

SHA1
8b0f375062dad2529dcd56206418ecd80caee674

SHA256
dd515c6d05e63cf5055f3667b776a6a81018501e75989a4aa34951d4e0b18d7a

SHA512
9ffb3b04806474de58516ce26766134c7dbf40bb765d1b83a8eb13d90c021b9e349abb0e735cd6da39c71b35eebd4c65877ac134d7ea2a1ca2bb97ad4ad0ffff

Download Submit
C:\Users\Admin\AppData\Local\Temp\rEwop50RtX.bat
Filesize
237B

MD5
25d6c3d669535231c55a69fe34a4b13e

SHA1
e316f3d4d6b11dd2f3f3a7b1cf283d63087cac7b

SHA256
a7ce2cf63406025dc303bfc042cf0b686edb16b6291b8bbc293d2b795a189993

SHA512
d5cdac661ffdf98b944359cc1da96bdb1936defe545d2c75f8474087d61ca890c1f9e94a75096c5ee561264c8ee1e9de36a1d640109d96984ab23f3034c9bc91

Download Submit
memory/2484-46-0x000000001ACA0000-0x000000001AD72000-memory.dmp

Filesize
840KB

Download
memory/2484-45-0x0000000000300000-0x00000000003D4000-memory.dmp

Filesize
848KB

Download
memory/2740-16-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2740-20-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2740-7-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2740-9-0x0000000000A70000-0x0000000000A88000-memory.dmp

Filesize
96KB

Download
memory/2740-10-0x00000000776C0000-0x00000000776C1000-memory.dmp

Filesize
4KB

Download
memory/2740-12-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2740-13-0x00000000776B0000-0x00000000776B1000-memory.dmp

Filesize
4KB

Download
memory/2740-14-0x00000000776A0000-0x00000000776A1000-memory.dmp

Filesize
4KB

Download
memory/2740-0-0x0000000000E90000-0x0000000000F64000-memory.dmp

Filesize
848KB

Download
memory/2740-18-0x0000000000A90000-0x0000000000A9E000-memory.dmp

Filesize
56KB

Download
memory/2740-19-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2740-5-0x00000000776D0000-0x00000000776D1000-memory.dmp

Filesize
4KB

Download
memory/2740-24-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2740-26-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2740-25-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2740-4-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2740-40-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-39-0x0000000077900000-0x0000000077AA9000-memory.dmp

Filesize
1.7MB

Download
memory/2740-3-0x0000000077900000-0x0000000077AA9000-memory.dmp

Filesize
1.7MB

Download
memory/2740-2-0x0000000000DC0000-0x0000000000E92000-memory.dmp

Filesize
840KB

Download
memory/2740-1-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads