Analysis
-
max time kernel
65s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-11-2020 19:44
Static task
static1
Behavioral task
behavioral1
Sample
home.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
home.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
home.exe
-
Size
675KB
-
MD5
7f82baf6acac3e3082e2c22c657e8c0c
-
SHA1
0b950d2be03ca5ab99c81cc629c434e980cd167a
-
SHA256
57b1478167911e633c9480852e6e8e87691c9f8a31201fbd25a70ab42c07808c
-
SHA512
83e1b81eed8656a56c8ff7b9f6e32c03a45e9518b9144d1fe7eda57ecc9898d3dcfeb703d195a4d9e3578ace25085764cf3ce9da68915273fcea0181866e9e61
Score
10/10
Malware Config
Signatures
-
BazarBackdoor 6 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
description flow ioc HTTP URL 47 https://ukmedm.com/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 48 https://ukmedm.com/6ea5901ae1272735f9e012d6c17ecc4d/2 HTTP URL 41 https://hotelmonteleone.com/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 43 https://lukeschicago.com/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 45 https://ukmedm.com/6ea5901ae1272735f9e012d6c17ecc4d/4 HTTP URL 46 https://ukmedm.com/6ea5901ae1272735f9e012d6c17ecc4d/4 -
Blacklisted process makes network request 6 IoCs
Processes:
cmd.exeflow pid process 41 188 cmd.exe 43 188 cmd.exe 45 188 cmd.exe 46 188 cmd.exe 47 188 cmd.exe 48 188 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
home.exedescription pid process target process PID 412 set thread context of 188 412 home.exe cmd.exe -
Suspicious use of WriteProcessMemory 851 IoCs
Processes:
home.exedescription pid process target process PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe PID 412 wrote to memory of 188 412 home.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\home.exe"C:\Users\Admin\AppData\Local\Temp\home.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe2⤵
- Blacklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\home.exeC:\Users\Admin\AppData\Local\Temp\home.exe 3409448051⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/188-5-0x00007FF60071DA28-mapping.dmp
-
memory/188-4-0x00007FF600700000-0x00007FF600744000-memory.dmpFilesize
272KB
-
memory/188-6-0x00007FF600700000-0x00007FF600744000-memory.dmpFilesize
272KB
-
memory/412-0-0x0000000001FC0000-0x0000000001FEC000-memory.dmpFilesize
176KB
-
memory/412-1-0x0000000001FF0000-0x000000000201C000-memory.dmpFilesize
176KB
-
memory/3716-3-0x0000000001FD0000-0x0000000001FFC000-memory.dmpFilesize
176KB