Analysis
-
max time kernel
58s -
max time network
8s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
13-10-2020 21:45
Static task
static1
Behavioral task
behavioral2
Sample
File2.exe
Resource
win10v200722
General
-
Target
File2.exe
-
Size
210KB
-
MD5
12368655038e920cb2ada7d34fac40dd
-
SHA1
fca002da98c91b019a3fab4639a4b6e4d0de43d7
-
SHA256
9f654fe304bd80d1114c515362319c59bc569a54cb445aacdf47672d56815da1
-
SHA512
caa8e284640c31ad4c7b86945a71ad46aa2eb8bb7e47358b67b5fa575cac2894ad5d8d41e26a7782d7e080d8126c2c377e7bcc8e3ff2f5785c9c60119c519d0e
Malware Config
Extracted
zloader
r1
r1
https://freebreez.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://makaronz.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://ricklick.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://litlblockblack.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://vaktorianpackif.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://hbamefphmqsdgkqojgwe.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://hoxfqvlgoabyfspvjimc.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://yrsfuaegsevyffrfsgpj.com/LKhwojehDgwegSDG/gateJKjdsh.php
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
File2.exedescription pid process target process PID 1060 created 1256 1060 File2.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File2.exedescription pid process target process PID 1060 set thread context of 1604 1060 File2.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
File2.exepid process 1060 File2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
File2.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1060 File2.exe Token: SeSecurityPrivilege 1604 msiexec.exe Token: SeSecurityPrivilege 1604 msiexec.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
File2.exedescription pid process target process PID 1060 wrote to memory of 1604 1060 File2.exe msiexec.exe PID 1060 wrote to memory of 1604 1060 File2.exe msiexec.exe PID 1060 wrote to memory of 1604 1060 File2.exe msiexec.exe PID 1060 wrote to memory of 1604 1060 File2.exe msiexec.exe PID 1060 wrote to memory of 1604 1060 File2.exe msiexec.exe PID 1060 wrote to memory of 1604 1060 File2.exe msiexec.exe PID 1060 wrote to memory of 1604 1060 File2.exe msiexec.exe PID 1060 wrote to memory of 1604 1060 File2.exe msiexec.exe PID 1060 wrote to memory of 1604 1060 File2.exe msiexec.exe
Processes
-
C:\Windows\Explorer.EXEPID:1256C:\Windows\Explorer.EXE
-
C:\Users\Admin\AppData\Local\Temp\File2.exePID:1060"C:\Users\Admin\AppData\Local\Temp\File2.exe"Suspicious use of NtCreateUserProcessOtherParentProcessSuspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exePID:1604msiexec.exeSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Downloads
-
memory/1060-0-0x000000000030B000-0x000000000030C000-memory.dmpFilesize
4KB
-
memory/1060-1-0x0000000002180000-0x0000000002191000-memory.dmpFilesize
68KB
-
memory/1604-2-0x00000000000B0000-0x00000000000DD000-memory.dmpFilesize
180KB
-
memory/1604-3-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1604-4-0x00000000000B0000-0x00000000000DD000-memory.dmpFilesize
180KB
-
memory/1604-5-0x0000000000000000-mapping.dmp