Analysis
-
max time kernel
300s -
max time network
269s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-11-2020 12:42
Static task
static1
General
-
Target
wasm_003892.exe
-
Size
291KB
-
MD5
6d2343d950d09893a1dafda2a7b6bac7
-
SHA1
b134043d846cb168949efba262897f0db4d67b03
-
SHA256
4af92f08a32990d91c2628e7a196b98c8361a591ead8785a9bd9985020d9f580
-
SHA512
48bfb460d340570965967e1b897923da81c16460ca3764bb88aac9a97faa90bce6e8a914af233f6cb417ae50f44d9ebeadb255756b7f51328480463143ad41ce
Malware Config
Extracted
zloader
r1
r1
https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php
https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php
https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
wasm_003892.exedescription pid process target process PID 1588 created 1276 1588 wasm_003892.exe Explorer.EXE -
Blacklisted process makes network request 23 IoCs
Processes:
msiexec.exeflow pid process 6 1400 msiexec.exe 8 1400 msiexec.exe 9 1400 msiexec.exe 10 1400 msiexec.exe 11 1400 msiexec.exe 12 1400 msiexec.exe 13 1400 msiexec.exe 14 1400 msiexec.exe 15 1400 msiexec.exe 16 1400 msiexec.exe 17 1400 msiexec.exe 18 1400 msiexec.exe 19 1400 msiexec.exe 20 1400 msiexec.exe 21 1400 msiexec.exe 22 1400 msiexec.exe 23 1400 msiexec.exe 24 1400 msiexec.exe 25 1400 msiexec.exe 26 1400 msiexec.exe 28 1400 msiexec.exe 29 1400 msiexec.exe 30 1400 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Modifies service 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas ipconfig.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs ipconfig.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wasm_003892.exedescription pid process target process PID 1588 set thread context of 1400 1588 wasm_003892.exe msiexec.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1564 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wasm_003892.exemsiexec.exepid process 1588 wasm_003892.exe 1400 msiexec.exe 1400 msiexec.exe 1400 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wasm_003892.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1588 wasm_003892.exe Token: SeSecurityPrivilege 1400 msiexec.exe Token: SeSecurityPrivilege 1400 msiexec.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
wasm_003892.exemsiexec.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1588 wrote to memory of 1400 1588 wasm_003892.exe msiexec.exe PID 1588 wrote to memory of 1400 1588 wasm_003892.exe msiexec.exe PID 1588 wrote to memory of 1400 1588 wasm_003892.exe msiexec.exe PID 1588 wrote to memory of 1400 1588 wasm_003892.exe msiexec.exe PID 1588 wrote to memory of 1400 1588 wasm_003892.exe msiexec.exe PID 1588 wrote to memory of 1400 1588 wasm_003892.exe msiexec.exe PID 1588 wrote to memory of 1400 1588 wasm_003892.exe msiexec.exe PID 1588 wrote to memory of 1400 1588 wasm_003892.exe msiexec.exe PID 1588 wrote to memory of 1400 1588 wasm_003892.exe msiexec.exe PID 1400 wrote to memory of 1452 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 1452 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 1452 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 1452 1400 msiexec.exe cmd.exe PID 1452 wrote to memory of 1564 1452 cmd.exe ipconfig.exe PID 1452 wrote to memory of 1564 1452 cmd.exe ipconfig.exe PID 1452 wrote to memory of 1564 1452 cmd.exe ipconfig.exe PID 1452 wrote to memory of 1564 1452 cmd.exe ipconfig.exe PID 1400 wrote to memory of 1344 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 1344 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 1344 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 1344 1400 msiexec.exe cmd.exe PID 1344 wrote to memory of 1580 1344 cmd.exe net.exe PID 1344 wrote to memory of 1580 1344 cmd.exe net.exe PID 1344 wrote to memory of 1580 1344 cmd.exe net.exe PID 1344 wrote to memory of 1580 1344 cmd.exe net.exe PID 1580 wrote to memory of 1308 1580 net.exe net1.exe PID 1580 wrote to memory of 1308 1580 net.exe net1.exe PID 1580 wrote to memory of 1308 1580 net.exe net1.exe PID 1580 wrote to memory of 1308 1580 net.exe net1.exe PID 1400 wrote to memory of 1952 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 1952 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 1952 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 1952 1400 msiexec.exe cmd.exe PID 1952 wrote to memory of 156 1952 cmd.exe net.exe PID 1952 wrote to memory of 156 1952 cmd.exe net.exe PID 1952 wrote to memory of 156 1952 cmd.exe net.exe PID 1952 wrote to memory of 156 1952 cmd.exe net.exe PID 1400 wrote to memory of 2032 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 2032 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 2032 1400 msiexec.exe cmd.exe PID 1400 wrote to memory of 2032 1400 msiexec.exe cmd.exe PID 2032 wrote to memory of 1700 2032 cmd.exe net.exe PID 2032 wrote to memory of 1700 2032 cmd.exe net.exe PID 2032 wrote to memory of 1700 2032 cmd.exe net.exe PID 2032 wrote to memory of 1700 2032 cmd.exe net.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\wasm_003892.exe"C:\Users\Admin\AppData\Local\Temp\wasm_003892.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Modifies service
- Gathers network information
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet config workstation4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all /domain4⤵
- Discovers systems in the same network
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\EdudMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/156-17-0x0000000000000000-mapping.dmp
-
memory/1308-15-0x0000000000000000-mapping.dmp
-
memory/1344-13-0x0000000000000000-mapping.dmp
-
memory/1400-5-0x00000000000D0000-0x00000000000F8000-memory.dmpFilesize
160KB
-
memory/1400-6-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1400-7-0x00000000000D0000-0x00000000000F8000-memory.dmpFilesize
160KB
-
memory/1400-8-0x0000000000000000-mapping.dmp
-
memory/1452-11-0x0000000000000000-mapping.dmp
-
memory/1564-12-0x0000000000000000-mapping.dmp
-
memory/1580-14-0x0000000000000000-mapping.dmp
-
memory/1588-0-0x0000000002449000-0x000000000244A000-memory.dmpFilesize
4KB
-
memory/1588-2-0x0000000003EB0000-0x0000000003EC1000-memory.dmpFilesize
68KB
-
memory/1588-1-0x0000000003EB0000-0x0000000003EC1000-memory.dmpFilesize
68KB
-
memory/1596-10-0x000007FEF7C10000-0x000007FEF7E8A000-memory.dmpFilesize
2.5MB
-
memory/1700-19-0x0000000000000000-mapping.dmp
-
memory/1952-16-0x0000000000000000-mapping.dmp
-
memory/2032-18-0x0000000000000000-mapping.dmp