f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f

Resubmissions

25/01/2021, 08:35

210125-cq2gjr6x2s 10

30/07/2019, 12:34

190730-twrv8j2yqn 0

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
25/01/2021, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

m)hhm.exe
Size

3.5MB
MD5

6bc5f53d4082f12dd83aca45bae81e64
SHA1

1fb4cd155393db202b0ceed59ff49a10329b2592
SHA256

f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f
SHA512

05b430fe0a57373098e648fa19e3ef47b5e64ecb6fca414e8b7b66c23d7c6da626f6ac3c15115edde4421344b0ead7a6ea015791f42d853fe14af631cbca831e

Score

10^/10

persistence

Malware Config

Extracted

Family

zebrocy

http://89.37.226.148/technet-support/library/online-service-description.php?id_name=

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driveupd = "C:\\Users\\Admin\\AppData\\Roaming\\\\Identities\\\\{83AF1378-986F-1673-091A-02681FA62C3B}\\\\w32srv.exe"	reg.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1560	WMIC.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
336	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1264	systeminfo.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	4	Go-http-client/1.1

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1156	reg.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	336	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1560	WMIC.exe
Token: SeSecurityPrivilege	1560	WMIC.exe
Token: SeTakeOwnershipPrivilege	1560	WMIC.exe
Token: SeLoadDriverPrivilege	1560	WMIC.exe
Token: SeSystemProfilePrivilege	1560	WMIC.exe
Token: SeSystemtimePrivilege	1560	WMIC.exe
Token: SeProfSingleProcessPrivilege	1560	WMIC.exe
Token: SeIncBasePriorityPrivilege	1560	WMIC.exe
Token: SeCreatePagefilePrivilege	1560	WMIC.exe
Token: SeBackupPrivilege	1560	WMIC.exe
Token: SeRestorePrivilege	1560	WMIC.exe
Token: SeShutdownPrivilege	1560	WMIC.exe
Token: SeDebugPrivilege	1560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1560	WMIC.exe
Token: SeRemoteShutdownPrivilege	1560	WMIC.exe
Token: SeUndockPrivilege	1560	WMIC.exe
Token: SeManageVolumePrivilege	1560	WMIC.exe
Token: 33	1560	WMIC.exe
Token: 34	1560	WMIC.exe
Token: 35	1560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1560	WMIC.exe
Token: SeSecurityPrivilege	1560	WMIC.exe
Token: SeTakeOwnershipPrivilege	1560	WMIC.exe
Token: SeLoadDriverPrivilege	1560	WMIC.exe
Token: SeSystemProfilePrivilege	1560	WMIC.exe
Token: SeSystemtimePrivilege	1560	WMIC.exe
Token: SeProfSingleProcessPrivilege	1560	WMIC.exe
Token: SeIncBasePriorityPrivilege	1560	WMIC.exe
Token: SeCreatePagefilePrivilege	1560	WMIC.exe
Token: SeBackupPrivilege	1560	WMIC.exe
Token: SeRestorePrivilege	1560	WMIC.exe
Token: SeShutdownPrivilege	1560	WMIC.exe
Token: SeDebugPrivilege	1560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1560	WMIC.exe
Token: SeRemoteShutdownPrivilege	1560	WMIC.exe
Token: SeUndockPrivilege	1560	WMIC.exe
Token: SeManageVolumePrivilege	1560	WMIC.exe
Token: 33	1560	WMIC.exe
Token: 34	1560	WMIC.exe
Token: 35	1560	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2032	1652	m)hhm.exe	25
PID 1652 wrote to memory of 2032	1652	m)hhm.exe	25
PID 1652 wrote to memory of 2032	1652	m)hhm.exe	25
PID 1652 wrote to memory of 2032	1652	m)hhm.exe	25
PID 1652 wrote to memory of 1264	1652	m)hhm.exe	29
PID 1652 wrote to memory of 1264	1652	m)hhm.exe	29
PID 1652 wrote to memory of 1264	1652	m)hhm.exe	29
PID 1652 wrote to memory of 1264	1652	m)hhm.exe	29
PID 1652 wrote to memory of 336	1652	m)hhm.exe	35
PID 1652 wrote to memory of 336	1652	m)hhm.exe	35
PID 1652 wrote to memory of 336	1652	m)hhm.exe	35
PID 1652 wrote to memory of 336	1652	m)hhm.exe	35
PID 1652 wrote to memory of 1164	1652	m)hhm.exe	37
PID 1652 wrote to memory of 1164	1652	m)hhm.exe	37
PID 1652 wrote to memory of 1164	1652	m)hhm.exe	37
PID 1652 wrote to memory of 1164	1652	m)hhm.exe	37
PID 1164 wrote to memory of 1560	1164	cmd.exe	39
PID 1164 wrote to memory of 1560	1164	cmd.exe	39
PID 1164 wrote to memory of 1560	1164	cmd.exe	39
PID 1164 wrote to memory of 1560	1164	cmd.exe	39
PID 1652 wrote to memory of 596	1652	m)hhm.exe	40
PID 1652 wrote to memory of 596	1652	m)hhm.exe	40
PID 1652 wrote to memory of 596	1652	m)hhm.exe	40
PID 1652 wrote to memory of 596	1652	m)hhm.exe	40
PID 1652 wrote to memory of 1816	1652	m)hhm.exe	42
PID 1652 wrote to memory of 1816	1652	m)hhm.exe	42
PID 1652 wrote to memory of 1816	1652	m)hhm.exe	42
PID 1652 wrote to memory of 1816	1652	m)hhm.exe	42
PID 1816 wrote to memory of 1156	1816	cmd.exe	44
PID 1816 wrote to memory of 1156	1816	cmd.exe	44
PID 1816 wrote to memory of 1156	1816	cmd.exe	44
PID 1816 wrote to memory of 1156	1816	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\m)hhm.exe
"C:\Users\Admin\AppData\Local\Temp\m)hhm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /C VOL
  2⤵
  PID:2032
- C:\Windows\SysWOW64\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1264
- C:\Windows\SysWOW64\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic logicaldisk get caption,description,drivetype,providername,size"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk get caption,description,drivetype,providername,size
    3⤵
    - Collects information from the system
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe
  2⤵
  PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-2-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/1652-3-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads