Overview
overview
7Static
static
3Bypass-Too...l2.exe
windows7-x64
7Bypass-Too...l2.exe
windows10-2004-x64
7Bypass-Too...02.exe
windows7-x64
3Bypass-Too...02.exe
windows10-2004-x64
3Bypass-Tools/U952.exe
windows7-x64
7Bypass-Tools/U952.exe
windows10-2004-x64
3Bypass-Too...p2.exe
windows7-x64
3Bypass-Too...p2.exe
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 18:44
Static task
static1
Behavioral task
behavioral1
Sample
Bypass-Tools/CGWebInstall2.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Bypass-Tools/CGWebInstall2.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Bypass-Tools/GPass-4.1.02.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Bypass-Tools/GPass-4.1.02.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Bypass-Tools/U952.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Bypass-Tools/U952.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Bypass-Tools/fg679p2.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Bypass-Tools/fg679p2.exe
Resource
win10v2004-20240611-en
General
-
Target
Bypass-Tools/U952.exe
-
Size
481KB
-
MD5
bb621c35f2bccc16874fdbeb4bb3fe91
-
SHA1
d68138e1183320e08baa42c7e7b9f57ea868cb3d
-
SHA256
cbc3ba3c40a9c28ac01792fbf06256176bdfbcd9bcc11963d3bc44528924a4a3
-
SHA512
9c0a5a77a9a2d001cc94e94b710e14a88f60f34f940a21e30655703133cf187111243a75f8e315445b20ef23a1d2a8cffde70c6b7638b7fe488c6426093d2a99
-
SSDEEP
12288:+YSoGZKu26s2vEZZH+MJyVg5Qy5sZ0kVd3dffu:R3GZKu2N2vEZZH+MUVqjyZFNfu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
U95.exepid process 1752 U95.exe -
Loads dropped DLL 2 IoCs
Processes:
U952.exepid process 2972 U952.exe 2972 U952.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 57.68.16.12 Destination IP 207.179.3.25 Destination IP 69.25.96.3 Destination IP 209.87.64.70 Destination IP 15.133.48.19 Destination IP 66.7.194.217 Destination IP 170.56.58.53 Destination IP 143.116.250.101 Destination IP 198.102.163.97 -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\U95.exe vmprotect behavioral5/memory/2972-8-0x0000000002720000-0x0000000002835000-memory.dmp vmprotect behavioral5/memory/1752-11-0x0000000000400000-0x0000000000515000-memory.dmp vmprotect behavioral5/memory/1752-12-0x0000000000400000-0x0000000000515000-memory.dmp vmprotect behavioral5/memory/1752-25-0x0000000000400000-0x0000000000515000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
U95.exedescription ioc process File opened for modification \??\PhysicalDrive0 U95.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
U95.exepid process 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe 1752 U95.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
U952.exedescription pid process target process PID 2972 wrote to memory of 1752 2972 U952.exe U95.exe PID 2972 wrote to memory of 1752 2972 U952.exe U95.exe PID 2972 wrote to memory of 1752 2972 U952.exe U95.exe PID 2972 wrote to memory of 1752 2972 U952.exe U95.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bypass-Tools\U952.exe"C:\Users\Admin\AppData\Local\Temp\Bypass-Tools\U952.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\U95.exe"C:\Users\Admin\AppData\Local\Temp\U95.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\U95.exeFilesize
456KB
MD588a02758a8359def232956ef028b2b77
SHA1dd1fccb97d90f4aa00a2bed174dba1e4d9e87df4
SHA25682fdfd5ae773400174f6ef910f63fb322dde38cc9ae39d1d009466bf28d4e0ff
SHA51217c304840389e650479b9877882b955d7491c6a9b502b7957782f86c01c8b55c2e8435c8a6f0d353c8c166ecc98aa7435690e243631b9f9c64eabcf5da6b69dc
-
memory/1752-11-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/1752-12-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/1752-25-0x0000000000400000-0x0000000000515000-memory.dmpFilesize
1.1MB
-
memory/2972-9-0x0000000002720000-0x0000000002835000-memory.dmpFilesize
1.1MB
-
memory/2972-8-0x0000000002720000-0x0000000002835000-memory.dmpFilesize
1.1MB