Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 15:14
Static task
static1
Behavioral task
behavioral1
Sample
zergb.exe
Resource
win7v20201028
General
-
Target
zergb.exe
-
Size
808KB
-
MD5
d3dee81cd147380fc01723cd3acb0cee
-
SHA1
b26c8f5eca80140a68665447bd2a463feb38cfa5
-
SHA256
63c4e17fa9b6d87a9f4b68b854cae50e95f8de2a86929fecb8f34af0d15798e7
-
SHA512
ad500e7070b17275312d58cca71618ef18a94efc9dd34a8933945cd1c09b67485dc22bf26f342bdc0e35449790600193f0b4ebd72c10a2aea37cd67ffad29bb8
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
zergb.exepid process 540 zergb.exe 540 zergb.exe -
Obfuscated with Agile.Net obfuscator 23 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/1308-29-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-30-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-31-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-32-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-33-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-34-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-35-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-36-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-37-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-38-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-39-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-40-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-41-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-42-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-43-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-44-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-45-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-47-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-48-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-49-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-46-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-50-0x0000000000424006-mapping.dmp agile_net behavioral2/memory/1308-51-0x0000000000424006-mapping.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zergb.exedescription pid process target process PID 540 set thread context of 1308 540 zergb.exe zergb.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1936 1308 WerFault.exe zergb.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
zergb.exezergb.exeWerFault.exepid process 540 zergb.exe 1308 zergb.exe 1308 zergb.exe 1308 zergb.exe 1308 zergb.exe 1308 zergb.exe 1308 zergb.exe 1308 zergb.exe 1308 zergb.exe 1308 zergb.exe 1308 zergb.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe 1936 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
zergb.exezergb.exemsiexec.exeWerFault.exedescription pid process Token: SeDebugPrivilege 540 zergb.exe Token: SeTakeOwnershipPrivilege 540 zergb.exe Token: SeRestorePrivilege 540 zergb.exe Token: SeDebugPrivilege 1308 zergb.exe Token: SeSecurityPrivilege 1616 msiexec.exe Token: SeRestorePrivilege 1936 WerFault.exe Token: SeBackupPrivilege 1936 WerFault.exe Token: SeDebugPrivilege 1936 WerFault.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
zergb.exezergb.execmd.execmd.exedescription pid process target process PID 540 wrote to memory of 1308 540 zergb.exe zergb.exe PID 540 wrote to memory of 1308 540 zergb.exe zergb.exe PID 540 wrote to memory of 1308 540 zergb.exe zergb.exe PID 540 wrote to memory of 1308 540 zergb.exe zergb.exe PID 540 wrote to memory of 1308 540 zergb.exe zergb.exe PID 540 wrote to memory of 1308 540 zergb.exe zergb.exe PID 540 wrote to memory of 1308 540 zergb.exe zergb.exe PID 540 wrote to memory of 1308 540 zergb.exe zergb.exe PID 1308 wrote to memory of 2668 1308 zergb.exe cmd.exe PID 1308 wrote to memory of 2668 1308 zergb.exe cmd.exe PID 1308 wrote to memory of 2668 1308 zergb.exe cmd.exe PID 2668 wrote to memory of 2140 2668 cmd.exe chcp.com PID 2668 wrote to memory of 2140 2668 cmd.exe chcp.com PID 2668 wrote to memory of 2140 2668 cmd.exe chcp.com PID 2668 wrote to memory of 2828 2668 cmd.exe netsh.exe PID 2668 wrote to memory of 2828 2668 cmd.exe netsh.exe PID 2668 wrote to memory of 2828 2668 cmd.exe netsh.exe PID 2668 wrote to memory of 3688 2668 cmd.exe findstr.exe PID 2668 wrote to memory of 3688 2668 cmd.exe findstr.exe PID 2668 wrote to memory of 3688 2668 cmd.exe findstr.exe PID 1308 wrote to memory of 184 1308 zergb.exe cmd.exe PID 1308 wrote to memory of 184 1308 zergb.exe cmd.exe PID 1308 wrote to memory of 184 1308 zergb.exe cmd.exe PID 184 wrote to memory of 1008 184 cmd.exe chcp.com PID 184 wrote to memory of 1008 184 cmd.exe chcp.com PID 184 wrote to memory of 1008 184 cmd.exe chcp.com PID 184 wrote to memory of 1232 184 cmd.exe netsh.exe PID 184 wrote to memory of 1232 184 cmd.exe netsh.exe PID 184 wrote to memory of 1232 184 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zergb.exe"C:\Users\Admin\AppData\Local\Temp\zergb.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zergb.exe"C:\Users\Admin\AppData\Local\Temp\zergb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 29563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dllMD5
14ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
\Users\Admin\AppData\Local\Temp\e34dd831-6d57-4d92-81ec-c008864dca6e\AgileDotNetRT.dllMD5
14ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
memory/184-23-0x0000000000000000-mapping.dmp
-
memory/540-3-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/540-5-0x0000000001320000-0x0000000001352000-memory.dmpFilesize
200KB
-
memory/540-7-0x00000000061D0000-0x00000000061D1000-memory.dmpFilesize
4KB
-
memory/540-8-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB
-
memory/540-9-0x0000000005820000-0x0000000005836000-memory.dmpFilesize
88KB
-
memory/540-2-0x0000000073520000-0x0000000073C0E000-memory.dmpFilesize
6.9MB
-
memory/1008-24-0x0000000000000000-mapping.dmp
-
memory/1232-25-0x0000000000000000-mapping.dmp
-
memory/1308-31-0x0000000000424006-mapping.dmp
-
memory/1308-37-0x0000000000424006-mapping.dmp
-
memory/1308-51-0x0000000000424006-mapping.dmp
-
memory/1308-50-0x0000000000424006-mapping.dmp
-
memory/1308-46-0x0000000000424006-mapping.dmp
-
memory/1308-16-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/1308-14-0x0000000000800000-0x0000000000830000-memory.dmpFilesize
192KB
-
memory/1308-13-0x0000000073520000-0x0000000073C0E000-memory.dmpFilesize
6.9MB
-
memory/1308-49-0x0000000000424006-mapping.dmp
-
memory/1308-29-0x0000000000424006-mapping.dmp
-
memory/1308-30-0x0000000000424006-mapping.dmp
-
memory/1308-12-0x0000000000424006-mapping.dmp
-
memory/1308-32-0x0000000000424006-mapping.dmp
-
memory/1308-33-0x0000000000424006-mapping.dmp
-
memory/1308-34-0x0000000000424006-mapping.dmp
-
memory/1308-35-0x0000000000424006-mapping.dmp
-
memory/1308-36-0x0000000000424006-mapping.dmp
-
memory/1308-48-0x0000000000424006-mapping.dmp
-
memory/1308-38-0x0000000000424006-mapping.dmp
-
memory/1308-39-0x0000000000424006-mapping.dmp
-
memory/1308-40-0x0000000000424006-mapping.dmp
-
memory/1308-41-0x0000000000424006-mapping.dmp
-
memory/1308-42-0x0000000000424006-mapping.dmp
-
memory/1308-43-0x0000000000424006-mapping.dmp
-
memory/1308-44-0x0000000000424006-mapping.dmp
-
memory/1308-45-0x0000000000424006-mapping.dmp
-
memory/1308-47-0x0000000000424006-mapping.dmp
-
memory/1936-26-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/1936-52-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/2140-20-0x0000000000000000-mapping.dmp
-
memory/2668-19-0x0000000000000000-mapping.dmp
-
memory/2828-21-0x0000000000000000-mapping.dmp
-
memory/3688-22-0x0000000000000000-mapping.dmp