Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:39
Static task
static1
Behavioral task
behavioral1
Sample
gbs.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
gbs.dll
-
Size
490KB
-
MD5
bede6db9d5f81e96c963798aa4effd8e
-
SHA1
d98f97ad168f686b54a7631a2c6f87690e3bafa3
-
SHA256
77df6d4908673af83901b67e730abd9a871ee86f7cda058ae25221056cec771e
-
SHA512
3b4d89bd72b9d0e88171342e8896555720726f11dd83f60b850e811fa7b9f0e86e7b114bfa4d376e3053cea50d323b94cf1a8c6a6f83c60dc5234967ce6b6564
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Iqko = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Faede\\idem.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1584 set thread context of 580 1584 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 580 msiexec.exe Token: SeSecurityPrivilege 580 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 844 wrote to memory of 1584 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1584 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1584 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1584 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1584 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1584 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1584 844 rundll32.exe rundll32.exe PID 1584 wrote to memory of 580 1584 rundll32.exe msiexec.exe PID 1584 wrote to memory of 580 1584 rundll32.exe msiexec.exe PID 1584 wrote to memory of 580 1584 rundll32.exe msiexec.exe PID 1584 wrote to memory of 580 1584 rundll32.exe msiexec.exe PID 1584 wrote to memory of 580 1584 rundll32.exe msiexec.exe PID 1584 wrote to memory of 580 1584 rundll32.exe msiexec.exe PID 1584 wrote to memory of 580 1584 rundll32.exe msiexec.exe PID 1584 wrote to memory of 580 1584 rundll32.exe msiexec.exe PID 1584 wrote to memory of 580 1584 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gbs.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\gbs.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/560-5-0x000007FEF81B0000-0x000007FEF842A000-memory.dmpFilesize
2.5MB
-
memory/580-1-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/580-2-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/580-3-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/580-4-0x0000000000000000-mapping.dmp
-
memory/1584-0-0x0000000000000000-mapping.dmp