Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:55
Static task
static1
Behavioral task
behavioral1
Sample
0ca3b4ee1aa867af5d11353897c29242.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
0ca3b4ee1aa867af5d11353897c29242.exe
-
Size
2.3MB
-
MD5
0ca3b4ee1aa867af5d11353897c29242
-
SHA1
61208451065c6a91b06db9b3760e9582a4146ae0
-
SHA256
06af9181e00d6d9fcdea30e8895603620d073c841871905ac76bc0cb2f99d096
-
SHA512
59dd9414f5bc51edd8599ad663fcbb0e3779e5d59410e1d9bd0aec1ec233daf7be0c43744965125450ee9c0341c4c40f6cbeaa399f4dcba2fc12b830242f930d
Malware Config
Extracted
Family
zloader
Botnet
bot7
Campaign
bot7
C2
https://militanttra.at/owg.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fove = "C:\\Users\\Admin\\AppData\\Roaming\\Exem\\ryoctu.exe" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0ca3b4ee1aa867af5d11353897c29242.exedescription pid process target process PID 3936 set thread context of 3948 3936 0ca3b4ee1aa867af5d11353897c29242.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3948 msiexec.exe Token: SeSecurityPrivilege 3948 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
0ca3b4ee1aa867af5d11353897c29242.exedescription pid process target process PID 3936 wrote to memory of 3948 3936 0ca3b4ee1aa867af5d11353897c29242.exe msiexec.exe PID 3936 wrote to memory of 3948 3936 0ca3b4ee1aa867af5d11353897c29242.exe msiexec.exe PID 3936 wrote to memory of 3948 3936 0ca3b4ee1aa867af5d11353897c29242.exe msiexec.exe PID 3936 wrote to memory of 3948 3936 0ca3b4ee1aa867af5d11353897c29242.exe msiexec.exe PID 3936 wrote to memory of 3948 3936 0ca3b4ee1aa867af5d11353897c29242.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ca3b4ee1aa867af5d11353897c29242.exe"C:\Users\Admin\AppData\Local\Temp\0ca3b4ee1aa867af5d11353897c29242.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken