Resubmissions
08-12-2023 11:08
231208-m8mdqaba46 1001-11-2020 09:14
201101-da931xqx5x 1001-11-2020 08:59
201101-jwsyvmsbls 10Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-11-2020 08:59
Static task
static1
Behavioral task
behavioral1
Sample
batman1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
batman1.exe
Resource
win10v20201028
General
-
Target
batman1.exe
-
Size
323KB
-
MD5
afdf2fbc0756ed304d1a33083a5f2b0f
-
SHA1
f3a25627f925390097a64a84ef34c952fe8af036
-
SHA256
a947c216ea52ce23457b3babb1e1eb6275cabe2150d3995553e4de4b8c3d97f4
-
SHA512
1c49e53b21c6cebc7a070667aaf05bc89e1a434270208fb61e54c8d74b8f4f3c70c021567d65e1ae024b16bdddb6f89989434075b9a422f2582d82c861b6ccf1
Malware Config
Extracted
zloader
TelegramCrypt
AntiAMSIdoc
http://wmwifbajxxbcxmucxmlc.com/post.php
http://pwkqhdgytsshkoibaake.com/post.php
http://snnmnkxdhflwgthqismb.com/post.php
http://iawfqecrwohcxnhwtofa.com/post.php
http://nlbmfsyplohyaicmxhum.com/post.php
http://fvqlkgedqjiqgapudkgq.com/post.php
http://cmmxhurildiigqghlryq.com/post.php
http://nmqsmbiabjdnuushksas.com/post.php
http://fyratyubvflktyyjiqgq.com/post.php
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 20 4208 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
batman1.exedescription pid process target process PID 4756 set thread context of 4208 4756 batman1.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 4208 msiexec.exe Token: SeSecurityPrivilege 4208 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
batman1.exedescription pid process target process PID 4756 wrote to memory of 4208 4756 batman1.exe msiexec.exe PID 4756 wrote to memory of 4208 4756 batman1.exe msiexec.exe PID 4756 wrote to memory of 4208 4756 batman1.exe msiexec.exe PID 4756 wrote to memory of 4208 4756 batman1.exe msiexec.exe PID 4756 wrote to memory of 4208 4756 batman1.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\batman1.exe"C:\Users\Admin\AppData\Local\Temp\batman1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4208-2-0x0000000000960000-0x0000000000994000-memory.dmpFilesize
208KB
-
memory/4208-3-0x0000000000000000-mapping.dmp
-
memory/4756-0-0x0000000000759000-0x000000000075A000-memory.dmpFilesize
4KB
-
memory/4756-1-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB