Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
29/10/2020, 16:21
201029-sfamlcy2aj 1029/10/2020, 16:15
201029-jk9vy2x46s 1029/10/2020, 15:23
201029-3eee5a1gls 1Analysis
-
max time kernel
289s -
max time network
300s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29/10/2020, 16:15
Static task
static1
General
-
Target
ebook_29.10.20.exe
-
Size
310KB
-
MD5
cd1f5e41d727816c6ca5e6c073130df4
-
SHA1
5d9a72b2b721aa7834d3f3bb07225ce48d4bc3fb
-
SHA256
a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc
-
SHA512
4f88ce58d61fa0eb4fc8ad2ce068a3044bcc7f205819cab5c39a998147f034869994c849ee022b487d3708d62167cc766d406e4310d301be1e51b1b1a7f3c588
Malware Config
Extracted
Family
zloader
Botnet
r1
Campaign
r1
C2
https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php
https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php
https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 292 created 1244 292 ebook_29.10.20.exe 21 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 292 set thread context of 1376 292 ebook_29.10.20.exe 29 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 292 ebook_29.10.20.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 292 ebook_29.10.20.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 292 wrote to memory of 1376 292 ebook_29.10.20.exe 29 PID 292 wrote to memory of 1376 292 ebook_29.10.20.exe 29 PID 292 wrote to memory of 1376 292 ebook_29.10.20.exe 29 PID 292 wrote to memory of 1376 292 ebook_29.10.20.exe 29 PID 292 wrote to memory of 1376 292 ebook_29.10.20.exe 29 PID 292 wrote to memory of 1376 292 ebook_29.10.20.exe 29 PID 292 wrote to memory of 1376 292 ebook_29.10.20.exe 29 PID 292 wrote to memory of 1376 292 ebook_29.10.20.exe 29 PID 292 wrote to memory of 1376 292 ebook_29.10.20.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\ebook_29.10.20.exe"C:\Users\Admin\AppData\Local\Temp\ebook_29.10.20.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵PID:1376
-