Resubmissions
03-09-2024 03:25
240903-dy1nxswbpl 10Analysis
-
max time kernel
35s -
max time network
37s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-09-2024 03:25
Behavioral task
behavioral1
Sample
BBA Launcher.exe
Resource
win10-20240404-en
General
-
Target
BBA Launcher.exe
-
Size
168.1MB
-
MD5
69ba8c5f1933cbd68f4a53b3633d6ad4
-
SHA1
743128ea353a60d1db06eeacec9f4c38f9a78d73
-
SHA256
963c4e4a24bcb04da89c66c8b4c63469c7806556a48125ce5d17491f233c6c4f
-
SHA512
b37aa402fc099192f14c9fdf06a0d91014897ee8e499443305295edb5472faf932714fff0bfaf5e5de8265dd87ec3297609c91a5509ab1f96fa8ef6cb8e68f6b
-
SSDEEP
1572864:+QqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/:4BKRcAMyAzB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation BBA Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation BBA Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation BBA Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation BBA Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation BBA Launcher.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 1 raw.githubusercontent.com 2 raw.githubusercontent.com 3 raw.githubusercontent.com -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe Token: SeShutdownPrivilege 1004 BBA Launcher.exe Token: SeCreatePagefilePrivilege 1004 BBA Launcher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 4660 1004 BBA Launcher.exe 74 PID 1004 wrote to memory of 2124 1004 BBA Launcher.exe 75 PID 1004 wrote to memory of 2124 1004 BBA Launcher.exe 75 PID 1004 wrote to memory of 2184 1004 BBA Launcher.exe 76 PID 1004 wrote to memory of 2184 1004 BBA Launcher.exe 76 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77 PID 1004 wrote to memory of 656 1004 BBA Launcher.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe"C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe"C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BBA Launcher" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1596,i,9514405159514410199,17533984610999548344,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:22⤵PID:4660
-
-
C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe"C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BBA Launcher" --mojo-platform-channel-handle=2500 --field-trial-handle=1596,i,9514405159514410199,17533984610999548344,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:32⤵PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe"C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\BBA Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2732 --field-trial-handle=1596,i,9514405159514410199,17533984610999548344,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:12⤵
- Checks computer location settings
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe"C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\BBA Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1596,i,9514405159514410199,17533984610999548344,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:12⤵
- Checks computer location settings
PID:656
-
-
C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe"C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\BBA Launcher" --mojo-platform-channel-handle=3128 --field-trial-handle=1596,i,9514405159514410199,17533984610999548344,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:82⤵PID:3620
-
-
C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe"C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\BBA Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3304 --field-trial-handle=1596,i,9514405159514410199,17533984610999548344,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:12⤵
- Checks computer location settings
PID:920
-
-
C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe"C:\Users\Admin\AppData\Local\Temp\BBA Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\BBA Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3500 --field-trial-handle=1596,i,9514405159514410199,17533984610999548344,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:12⤵
- Checks computer location settings
PID:3520
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3d01⤵PID:1092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a45dd3140abdd7f0d5650d44394538dd
SHA196131a23fd8baafdc808a9991265e18bb4736cc6
SHA2569da60de8178f74aff8d2c5d2d528b6d55a880c6074b90e065760321c74db4af7
SHA512b44f90ce9ef65d7d156a65ef6649ac3dfad489b5b277c2cdbbee6e7e05a78f18df4044b878745a21df74126155b54901164cb6a26322b0c84c354c037878a6f4
-
Filesize
48B
MD583fc4c1f62cd6b20f0946b4cc36910e4
SHA1f75ea57f23232ee3a159fe3fafd66355d2582b80
SHA256d52376018bdd9d3eb0af39823e754cfa2718173d51d2952c0bad6a902d320795
SHA51229945563c0a5d21733d2b807fbebab4ae801b4b3224224e82ae9f232b9ea513ed1c7375f05970812cb8dac12fdf75d3b6eef26f99ade05247498b0de9effc823
-
Filesize
72B
MD5e2f5900fb3a4fb75fbeda7ee55c3148e
SHA15c8b820c57d5f2e2c9be0367288d0fb5736d05dc
SHA25611cb309857177ae58d83d4e21d83e9e8e5d514a57d0b3c9b18def9243951ce3b
SHA512c312c6b7ceb77256beca8634e4e811ef21f5486f8abffb30b23d7754ce670b50f30566595ffc41e7d6189ee02e9fc14342848b539eb94416a7b425101b450b5e
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23