Analysis
-
max time kernel
53s -
max time network
110s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
13-10-2020 21:44
Static task
static1
Behavioral task
behavioral1
Sample
File2.exe
Resource
win7
General
-
Target
File2.exe
-
Size
210KB
-
MD5
12368655038e920cb2ada7d34fac40dd
-
SHA1
fca002da98c91b019a3fab4639a4b6e4d0de43d7
-
SHA256
9f654fe304bd80d1114c515362319c59bc569a54cb445aacdf47672d56815da1
-
SHA512
caa8e284640c31ad4c7b86945a71ad46aa2eb8bb7e47358b67b5fa575cac2894ad5d8d41e26a7782d7e080d8126c2c377e7bcc8e3ff2f5785c9c60119c519d0e
Malware Config
Extracted
zloader
r1
r1
https://freebreez.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://makaronz.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://ricklick.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://litlblockblack.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://vaktorianpackif.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://hbamefphmqsdgkqojgwe.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://hoxfqvlgoabyfspvjimc.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://yrsfuaegsevyffrfsgpj.com/LKhwojehDgwegSDG/gateJKjdsh.php
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
File2.exedescription pid process target process PID 3056 created 2940 3056 File2.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File2.exedescription pid process target process PID 3056 set thread context of 3436 3056 File2.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
File2.exepid process 3056 File2.exe 3056 File2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
File2.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3056 File2.exe Token: SeSecurityPrivilege 3436 msiexec.exe Token: SeSecurityPrivilege 3436 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
File2.exedescription pid process target process PID 3056 wrote to memory of 3436 3056 File2.exe msiexec.exe PID 3056 wrote to memory of 3436 3056 File2.exe msiexec.exe PID 3056 wrote to memory of 3436 3056 File2.exe msiexec.exe PID 3056 wrote to memory of 3436 3056 File2.exe msiexec.exe PID 3056 wrote to memory of 3436 3056 File2.exe msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\File2.exe"C:\Users\Admin\AppData\Local\Temp\File2.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3056-0-0x0000000000A16000-0x0000000000A17000-memory.dmpFilesize
4KB
-
memory/3056-1-0x0000000002680000-0x0000000002681000-memory.dmpFilesize
4KB
-
memory/3436-3-0x0000000000B60000-0x0000000000B8D000-memory.dmpFilesize
180KB
-
memory/3436-4-0x0000000000000000-mapping.dmp