Overview

overview

9

Static

static

3

3c350f5d90...18.exe

windows7-x64

7

3c350f5d90...18.exe

windows10-2004-x64

7

InstallTools.exe

windows7-x64

1

InstallTools.exe

windows10-2004-x64

1

bytefence-....7.exe

windows7-x64

4

bytefence-....7.exe

windows10-2004-x64

4

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

ByteFence.exe

windows7-x64

9

ByteFence.exe

windows10-2004-x64

7

ByteFenceGUI.dll

windows7-x64

1

ByteFenceGUI.dll

windows10-2004-x64

1

ByteFenceScan.exe

windows7-x64

1

ByteFenceScan.exe

windows10-2004-x64

1

ByteFenceService.exe

windows7-x64

1

ByteFenceService.exe

windows10-2004-x64

1

Microsoft....nt.dll

windows7-x64

1

Microsoft....nt.dll

windows10-2004-x64

1

Microsoft....er.dll

windows7-x64

1

Microsoft....er.dll

windows10-2004-x64

1

amd64/Kern...ol.dll

windows10-2004-x64

1

amd64/msdia140.dll

windows7-x64

7

amd64/msdia140.dll

windows10-2004-x64

7

protobuf-net.dll

windows7-x64

1

protobuf-net.dll

windows10-2004-x64

1

rsEngine.dll

windows7-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ByteFence.exe

  • Size

    3.8MB

  • MD5

    b821cd61e2d66b1ca5c795230f6b1b8e

  • SHA1

    a2e0cea3af916f98233ad73992cbac1dea55b234

  • SHA256

    16e0d6966e98794aa18719606e41f4d4ae74683d652e81374717282fc8b3239e

  • SHA512

    6f88f403aadb97612bb409bae098bfba28d863a97c4fdb5a69431732251d7a91d3bc76750d30e30db38df1e7d4cf2f633c2b5a09cfef08437d5d1a6cfd55ebd7

  • SSDEEP

    98304:YXrXAQnL22v90UxMwbV1J29H0SF8A9q4er:YTL2mewhn2ddrur

Score
7/10
evasionspywarestealertrojan

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ByteFence.exe
    "C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"
    1⤵
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4304
    • \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe
      "c:\users\admin\appdata\local\temp\ByteFenceService.exe" /i
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4936
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 2284
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:5100
  • \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe
    "c:\users\admin\appdata\local\temp\ByteFenceService.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog
    Filesize

    278B

    MD5

    6eaa1926a6ef20c0742b1344bf1d8a14

    SHA1

    a9ba7268b609d64e0434d9a8f3f78d2371a2ac1d

    SHA256

    119aacf78c0083c15adc496df961bb78fe33efac6d3f41227d903f6c63b3ee28

    SHA512

    f4fef01bcded694a182440501f7a0dd47d6441e2558f1df26d019697a2f9372fd0f0e6ba8e1bb2b30b4fe34f53eefbc439e7ead6f1d726fd465543c9fccc9889

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog
    Filesize

    717B

    MD5

    69b661f1c5111bab508264cdc91e33ef

    SHA1

    d2b443a7aa799e0bd48124e6583ed92b591ffc3d

    SHA256

    2d60399359ec8f2906cac7f836a0f10162c961b89eae1e849073acbbb6d3d84d

    SHA512

    cf132dc26464264d2c6ec093efc7aa0b64afdbb9ad0e2f1ce0faf8f54447f0588627677de33a67e30a12110aea3d1103be7e4d00fc8dc30cf85b314a73b63c07

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\Errors.dat
    Filesize

    3KB

    MD5

    1afccef54cc6edf48ac5d5c977354907

    SHA1

    a76964c4cf3587da329f780bf44fd549be186c8b

    SHA256

    3c97478e4cf684ab61f201ffe8ac76900a74c1d10607723b51697274eb141ce2

    SHA512

    785b5d06d1bcb2805e0bb98e180398aded2b90d2a9a76aef80a4e1b67ef2208639620db0b85d230e6eeac9e5ff5760905de16c58ac28e349779595fdf3d4da84

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\Logs\err.dat
    Filesize

    5KB

    MD5

    eaaab72801fa8dde5afd048a709edf07

    SHA1

    be43becfc3841053e4546e2f69af4e3ec500f149

    SHA256

    969419a1ceeef5722f0cfcfbedf7ca021d1e2cbc2c31a605b7be8aae585e2624

    SHA512

    51ce14157bdfacd79e848c547a4145d30144257ac201209be8a6ddbc644f00f145faa15f475025a53f4d0a3543d88006047a87c7cb1f9f770a31727e0045e6e4

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\rsEngine.config
    Filesize

    344B

    MD5

    56471e1d552cf365892a221059747376

    SHA1

    89cb5955b2ea777edd6366c5139029946310bafd

    SHA256

    d71574e62332c8ba76faf56f14de7357b6b2eba1d6c2e41dd140170a7b729d50

    SHA512

    a5be82b7a7940a60e5febf5458237fcfa4b1a06188604529089b711b802c0fee7bad700a368830737e78d0c32431cc8baa13cb65f1c320cf14943be7d8e46972

    Download Submit

  • memory/2356-107-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2356-55-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2356-51-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2356-48-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2356-47-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-13-0x000000001C7D0000-0x000000001C7F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4304-4-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-1-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-2-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-3-0x000000001D170000-0x000000001D6C4000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4304-106-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-93-0x0000000023720000-0x0000000023856000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4304-91-0x00000000253D0000-0x0000000025414000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4304-92-0x00000000256F0000-0x0000000025726000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4304-11-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-9-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-90-0x000000001F9E0000-0x000000001FA20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4304-8-0x000000001C540000-0x000000001C57C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4304-7-0x000000001C4A0000-0x000000001C53C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4304-49-0x00007FFCB5B55000-0x00007FFCB5B56000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4304-50-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-6-0x000000001EA20000-0x000000001EEEE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4304-5-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-54-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-0-0x00007FFCB5B55000-0x00007FFCB5B56000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4304-56-0x000000001F970000-0x000000001F9DA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/4304-59-0x000000001CC90000-0x000000001CCE2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/4304-60-0x000000001C5A0000-0x000000001C5A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4304-61-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-62-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-63-0x000000001C860000-0x000000001C866000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4304-64-0x0000000020D70000-0x0000000020EEC000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4304-77-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4304-82-0x0000000020800000-0x0000000020862000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4936-46-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4936-22-0x000000001C720000-0x000000001C744000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4936-19-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4936-18-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4936-17-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4936-16-0x000000001BA50000-0x000000001BA68000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4936-15-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4936-14-0x00007FFCB58A0000-0x00007FFCB6241000-memory.dmp

    Filesize

    9.6MB

    Download