Resubmissions
29-10-2020 16:21
201029-sfamlcy2aj 1029-10-2020 16:15
201029-jk9vy2x46s 1029-10-2020 15:23
201029-3eee5a1gls 1Analysis
-
max time kernel
600s -
max time network
590s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-10-2020 16:21
Static task
static1
General
-
Target
ebook_29.10.20.exe
-
Size
310KB
-
MD5
cd1f5e41d727816c6ca5e6c073130df4
-
SHA1
5d9a72b2b721aa7834d3f3bb07225ce48d4bc3fb
-
SHA256
a1297a535f5ac9ca22d8c1200098eb01e16860ef3c840457f98000ac6a5087cc
-
SHA512
4f88ce58d61fa0eb4fc8ad2ce068a3044bcc7f205819cab5c39a998147f034869994c849ee022b487d3708d62167cc766d406e4310d301be1e51b1b1a7f3c588
Malware Config
Extracted
Family
zloader
Botnet
r1
Campaign
r1
C2
https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php
https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php
https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
ebook_29.10.20.exedescription pid process target process PID 1032 created 1216 1032 ebook_29.10.20.exe Explorer.EXE -
Blacklisted process makes network request 36 IoCs
Processes:
msiexec.exeflow pid process 6 1544 msiexec.exe 8 1544 msiexec.exe 9 1544 msiexec.exe 10 1544 msiexec.exe 11 1544 msiexec.exe 12 1544 msiexec.exe 13 1544 msiexec.exe 14 1544 msiexec.exe 15 1544 msiexec.exe 16 1544 msiexec.exe 17 1544 msiexec.exe 18 1544 msiexec.exe 19 1544 msiexec.exe 20 1544 msiexec.exe 21 1544 msiexec.exe 22 1544 msiexec.exe 23 1544 msiexec.exe 24 1544 msiexec.exe 25 1544 msiexec.exe 26 1544 msiexec.exe 27 1544 msiexec.exe 29 1544 msiexec.exe 30 1544 msiexec.exe 31 1544 msiexec.exe 32 1544 msiexec.exe 33 1544 msiexec.exe 34 1544 msiexec.exe 35 1544 msiexec.exe 36 1544 msiexec.exe 37 1544 msiexec.exe 38 1544 msiexec.exe 39 1544 msiexec.exe 40 1544 msiexec.exe 42 1544 msiexec.exe 43 1544 msiexec.exe 44 1544 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Modifies service 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas ipconfig.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs ipconfig.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ebook_29.10.20.exedescription pid process target process PID 1032 set thread context of 1544 1032 ebook_29.10.20.exe msiexec.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1744 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
ebook_29.10.20.exemsiexec.exepid process 1032 ebook_29.10.20.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe 1544 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ebook_29.10.20.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1032 ebook_29.10.20.exe Token: SeSecurityPrivilege 1544 msiexec.exe Token: SeSecurityPrivilege 1544 msiexec.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
ebook_29.10.20.exemsiexec.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1032 wrote to memory of 1544 1032 ebook_29.10.20.exe msiexec.exe PID 1032 wrote to memory of 1544 1032 ebook_29.10.20.exe msiexec.exe PID 1032 wrote to memory of 1544 1032 ebook_29.10.20.exe msiexec.exe PID 1032 wrote to memory of 1544 1032 ebook_29.10.20.exe msiexec.exe PID 1032 wrote to memory of 1544 1032 ebook_29.10.20.exe msiexec.exe PID 1032 wrote to memory of 1544 1032 ebook_29.10.20.exe msiexec.exe PID 1032 wrote to memory of 1544 1032 ebook_29.10.20.exe msiexec.exe PID 1032 wrote to memory of 1544 1032 ebook_29.10.20.exe msiexec.exe PID 1032 wrote to memory of 1544 1032 ebook_29.10.20.exe msiexec.exe PID 1544 wrote to memory of 1380 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 1380 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 1380 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 1380 1544 msiexec.exe cmd.exe PID 1380 wrote to memory of 1744 1380 cmd.exe ipconfig.exe PID 1380 wrote to memory of 1744 1380 cmd.exe ipconfig.exe PID 1380 wrote to memory of 1744 1380 cmd.exe ipconfig.exe PID 1380 wrote to memory of 1744 1380 cmd.exe ipconfig.exe PID 1544 wrote to memory of 2020 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 2020 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 2020 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 2020 1544 msiexec.exe cmd.exe PID 2020 wrote to memory of 1884 2020 cmd.exe net.exe PID 2020 wrote to memory of 1884 2020 cmd.exe net.exe PID 2020 wrote to memory of 1884 2020 cmd.exe net.exe PID 2020 wrote to memory of 1884 2020 cmd.exe net.exe PID 1884 wrote to memory of 2000 1884 net.exe net1.exe PID 1884 wrote to memory of 2000 1884 net.exe net1.exe PID 1884 wrote to memory of 2000 1884 net.exe net1.exe PID 1884 wrote to memory of 2000 1884 net.exe net1.exe PID 1544 wrote to memory of 604 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 604 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 604 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 604 1544 msiexec.exe cmd.exe PID 604 wrote to memory of 1344 604 cmd.exe net.exe PID 604 wrote to memory of 1344 604 cmd.exe net.exe PID 604 wrote to memory of 1344 604 cmd.exe net.exe PID 604 wrote to memory of 1344 604 cmd.exe net.exe PID 1544 wrote to memory of 1832 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 1832 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 1832 1544 msiexec.exe cmd.exe PID 1544 wrote to memory of 1832 1544 msiexec.exe cmd.exe PID 1832 wrote to memory of 1656 1832 cmd.exe net.exe PID 1832 wrote to memory of 1656 1832 cmd.exe net.exe PID 1832 wrote to memory of 1656 1832 cmd.exe net.exe PID 1832 wrote to memory of 1656 1832 cmd.exe net.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
-
C:\Users\Admin\AppData\Local\Temp\ebook_29.10.20.exe"C:\Users\Admin\AppData\Local\Temp\ebook_29.10.20.exe"
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all
- Modifies service
- Gathers network information
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet config workstation
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all /domain
- Discovers systems in the same network
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AtepbMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/604-16-0x0000000000000000-mapping.dmp
-
memory/1032-1-0x0000000001F20000-0x0000000001F31000-memory.dmpFilesize
68KB
-
memory/1032-2-0x0000000001F20000-0x0000000001F31000-memory.dmpFilesize
68KB
-
memory/1032-0-0x000000000030B000-0x000000000030C000-memory.dmpFilesize
4KB
-
memory/1344-17-0x0000000000000000-mapping.dmp
-
memory/1380-11-0x0000000000000000-mapping.dmp
-
memory/1484-10-0x000007FEF71F0000-0x000007FEF746A000-memory.dmpFilesize
2MB
-
memory/1544-5-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1544-8-0x0000000000000000-mapping.dmp
-
memory/1544-7-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1544-6-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1544-20-0x00000000055C0000-0x000000000579B000-memory.dmpFilesize
1MB
-
memory/1656-19-0x0000000000000000-mapping.dmp
-
memory/1744-12-0x0000000000000000-mapping.dmp
-
memory/1832-18-0x0000000000000000-mapping.dmp
-
memory/1884-14-0x0000000000000000-mapping.dmp
-
memory/2000-15-0x0000000000000000-mapping.dmp
-
memory/2020-13-0x0000000000000000-mapping.dmp