Resubmissions
23/07/2024, 17:32
240723-v4egba1drj 10Analysis
-
max time kernel
143s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 17:32
Behavioral task
behavioral1
Sample
ButterflyLauncher.exe
Resource
win7-20240705-en
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
ButterflyLauncher.exe
Resource
win10v2004-20240709-en
6 signatures
150 seconds
General
-
Target
ButterflyLauncher.exe
-
Size
241.1MB
-
MD5
b29564dd9adcdac584e65fcb27dc3f13
-
SHA1
be24c69c4e12eb2beb9ac5d431bb60f520a179a0
-
SHA256
2c552d11daebd76dafe245681272cc13fd9c51b01f9c475d609f9aeccafe3fe5
-
SHA512
846265617a267f587ac55ebdf855ebd2c22706b89b734597aa1466a6e10866662ed3ec89c9c4a0a0f1e9aa489fa4ed7fe3bfb1e51a83cabcb736b24309c19e1f
-
SSDEEP
1572864:8hhHI0W4V8PW6Z/wbmrKy7YgIkW433h28PW6Z/wbmrCy7YgIl4LpgF3TVGnBJm9I:qho0+fZaM2kHR3fZaU2l/F3Vn0f
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation ButterflyLauncher.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 22 raw.githubusercontent.com 23 raw.githubusercontent.com 25 raw.githubusercontent.com 43 pastebin.com 44 pastebin.com 52 pastebin.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ButterflyLauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ButterflyLauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ButterflyLauncher.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3640 ButterflyLauncher.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3640 ButterflyLauncher.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3640 ButterflyLauncher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ButterflyLauncher.exe"C:\Users\Admin\AppData\Local\Temp\ButterflyLauncher.exe"1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3640