0dd1f6e20e065ec3c860fe9bbe6688937450c707ce7e2d2ac53558381799244b

Analysis

max time kernel
116s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20/11/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ByteBreakerBootstrapper.exe
Size

10KB
MD5

42685dcac1e93766a145506117e18bdb
SHA1

35268754ce19f7abeed26e159dae93e6e1f4ffaf
SHA256

0dd1f6e20e065ec3c860fe9bbe6688937450c707ce7e2d2ac53558381799244b
SHA512

33f42a1d09abe53c870f13336b6ce652bcd3d87614e0bc70ca109f1b6668c30766e4337a9a5e86a3dce55c904c431bafc165f5aa915daa70c98521eab3a37c3f
SSDEEP

96:gNCH5JT31k12R1NIiG1Q94btQF+e9sn3Xkb21AmUVC6NW3b9Ajt86sQVeCqpE/u3:QufBE2R7WQ94JQFrqSmUI6PDsQVf7G5

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ByteBreakerBootstrapper.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	ByteBreakerBootstrapper.exe
Token: SeRestorePrivilege	2968	7z.exe
Token: 35	2968	7z.exe
Token: SeSecurityPrivilege	2968	7z.exe
Token: SeSecurityPrivilege	2968	7z.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2724	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2968	4824	ByteBreakerBootstrapper.exe	80
PID 4824 wrote to memory of 2968	4824	ByteBreakerBootstrapper.exe	80

C:\Users\Admin\AppData\Local\Temp\ByteBreakerBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\ByteBreakerBootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\ByteBreakerV1.7z" -o"C:\Users\Admin\AppData\Local\Temp\ByteBreaker" -y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2968

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ByteBreakerV1.7z

Filesize
18.7MB

MD5
dae15d9a883fc3039968985fd6a2931b

SHA1
74d3f3f69dcd06699d75b70bfa782f6be038d1fe

SHA256
0695d2e5f79860ee7f6a7a5e9d97af298f5a5b2d22d35c7fb44624545cabbe7e

SHA512
b1770d0a096a33018b5c0d2274da8e1412ba5eb1dab65f527b2b1cabdf54416881252c7de580df5e29410d55a3cceb88ddc16c749ef599291e47146942a327b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\ByteBreaker.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\ByteBreaker.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
8c896e16f657bef6c086f834471406da

SHA1
2d9bda5292560bd380ed4336526c4b37c866a7d1

SHA256
1e75d43df5b3a3904df3b23471404d7e19205ee143f41a418845aad24f8d0ea2

SHA512
568016ffb4778cfb4d81e3fbb2cc35cc0878782f6338d8bba2a509d160093fddacfa020bc8c3de4fe19150a796ffcb2a7f790cec4b30d52f8ce006e322b58249

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\ByteBreaker.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\ByteBreaker.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\ByteBreaker.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\ByteBreaker.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\ByteBreaker.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\Editor\package\esm\vs\base\browser\ui\iconLabel\iconHoverDelegate.js

Filesize
368B

MD5
dff5cd240217dc0e722c27be242db91d

SHA1
244d1e7b3a10bb26e52ad9019e0e20f8bb3a72aa

SHA256
151caa77914089aa02273bb851f4b9a198eaab38da7eb9e4bdd7af8075c2dc57

SHA512
e6033e28f65f29ec3a7fc2e367bb6dd2909e38e5e5ccd267fe920e82c25de00c3cf5593db022dc1664ec00652882d5093121f2686788ee3eb60d0b2d87fef6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\Editor\package\esm\vs\language\typescript\fillers\monaco-editor-core.d.ts

Filesize
37B

MD5
604924c7fd140e65f677cff5c06ea77e

SHA1
60adb20bf4cac895df6b31a4da98a4d2267ca3e6

SHA256
87b3728d7af0f6c25f9cdbedfbc093f5e46a24371910199a638a1a13e3444668

SHA512
34affd619893b93ebfeb0d19daf6c4768b0e3de7d4d8272058cd41608ef9a1f5ceb5951b0b8a7732dd4e3e020d51bda9c9509eed4a3a5705d3a1ad396d610af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\Editor\package\esm\vs\language\typescript\fillers\monaco-editor-core.js

Filesize
404B

MD5
40fc593844c4ee88ff8e87481824dda0

SHA1
c2d8bed92d90e685576812d7c62ac2db28af2185

SHA256
a27649c652a7abcefe0b54567eb64f1cdf9be521bab22cfb71718e816b160375

SHA512
0457cf90d188e803401555e57a24647e592830ddad9e9e73d64a89889ec6b40eb15d2330ba507c6bad2faceb6c14bb643b4557db1e68896354aa6a19a99ae357

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\Editor\package\esm\vs\platform\telemetry\common\gdprTypings.js

Filesize
12B

MD5
5c7f99e3d4eaae821996a487acc6a5e2

SHA1
9ff99e6a0a31241fe503c3c76a340bedfe2902b7

SHA256
f761c91419d0a89422a0004ef1a92929dd4d2d5e5c16758654d8b0467d1998c6

SHA512
9247b46a096ad45b486e4b83bb880a7d4e0da7731e3e64b8ba41513a0632932d3bfcf132b2d20e81e363c2595aa9a38d486111dc6365c0f014c1af25ec0be839

Download Submit
C:\Users\Admin\AppData\Local\Temp\ByteBreaker\Editor\package\min\vs\base\browser\ui\codicons\codicon\codicon.ttf

Filesize
63KB

MD5
b13daaad214ef227a36fefd95d924380

SHA1
95791fc8733a4bae907859b1a46bd1115f90c983

SHA256
774c4acc42f27289850537e2b6e9b85f67fde54145f6f41876dc4f65b45a4a20

SHA512
ad05613494a490e01504a30e34d7fb5bc2e535d70b5e5d5154a81ad1acaa51c0e368a6fae6aaa0a42faaae63f7e751a98748a7c291056100b7ad687ff6ae687d

Download Submit
memory/4824-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/4824-1-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/4824-2-0x0000000005AB0000-0x0000000006056000-memory.dmp

Filesize
5.6MB

Download
memory/4824-3-0x0000000074E70000-0x0000000075621000-memory.dmp

Filesize
7.7MB

Download
memory/4824-2830-0x000000000B5C0000-0x000000000B652000-memory.dmp

Filesize
584KB

Download
memory/4824-2831-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/4824-2832-0x0000000074E70000-0x0000000075621000-memory.dmp

Filesize
7.7MB

Download
memory/4824-2834-0x0000000074E70000-0x0000000075621000-memory.dmp

Filesize
7.7MB

Download