f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f

Resubmissions

25-01-2021 08:35

210125-cq2gjr6x2s 10

30-07-2019 12:34

190730-twrv8j2yqn 0

Analysis

max time kernel
12s
max time network
115s
platform
windows10_x64
resource
win10v20201028
submitted
25-01-2021 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

m)hhm.exe
Size

3.5MB
MD5

6bc5f53d4082f12dd83aca45bae81e64
SHA1

1fb4cd155393db202b0ceed59ff49a10329b2592
SHA256

f868e88eb2524d15cfcd87afdf697074e0f9785792f342044501347dce549a1f
SHA512

05b430fe0a57373098e648fa19e3ef47b5e64ecb6fca414e8b7b66c23d7c6da626f6ac3c15115edde4421344b0ead7a6ea015791f42d853fe14af631cbca831e

Score

10^/10

persistence

Malware Config

Extracted

Family

zebrocy

http://89.37.226.148/technet-support/library/online-service-description.php?id_name=

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driveupd = "C:\\Users\\Admin\\AppData\\Roaming\\\\Identities\\\\{83AF1378-986F-1673-091A-02681FA62C3B}\\\\w32srv.exe"	reg.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3460	WMIC.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3960	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2812	systeminfo.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	12	Go-http-client/1.1

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2492	reg.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	3960	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3460	WMIC.exe
Token: SeSecurityPrivilege	3460	WMIC.exe
Token: SeTakeOwnershipPrivilege	3460	WMIC.exe
Token: SeLoadDriverPrivilege	3460	WMIC.exe
Token: SeSystemProfilePrivilege	3460	WMIC.exe
Token: SeSystemtimePrivilege	3460	WMIC.exe
Token: SeProfSingleProcessPrivilege	3460	WMIC.exe
Token: SeIncBasePriorityPrivilege	3460	WMIC.exe
Token: SeCreatePagefilePrivilege	3460	WMIC.exe
Token: SeBackupPrivilege	3460	WMIC.exe
Token: SeRestorePrivilege	3460	WMIC.exe
Token: SeShutdownPrivilege	3460	WMIC.exe
Token: SeDebugPrivilege	3460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3460	WMIC.exe
Token: SeRemoteShutdownPrivilege	3460	WMIC.exe
Token: SeUndockPrivilege	3460	WMIC.exe
Token: SeManageVolumePrivilege	3460	WMIC.exe
Token: 33	3460	WMIC.exe
Token: 34	3460	WMIC.exe
Token: 35	3460	WMIC.exe
Token: 36	3460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3460	WMIC.exe
Token: SeSecurityPrivilege	3460	WMIC.exe
Token: SeTakeOwnershipPrivilege	3460	WMIC.exe
Token: SeLoadDriverPrivilege	3460	WMIC.exe
Token: SeSystemProfilePrivilege	3460	WMIC.exe
Token: SeSystemtimePrivilege	3460	WMIC.exe
Token: SeProfSingleProcessPrivilege	3460	WMIC.exe
Token: SeIncBasePriorityPrivilege	3460	WMIC.exe
Token: SeCreatePagefilePrivilege	3460	WMIC.exe
Token: SeBackupPrivilege	3460	WMIC.exe
Token: SeRestorePrivilege	3460	WMIC.exe
Token: SeShutdownPrivilege	3460	WMIC.exe
Token: SeDebugPrivilege	3460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3460	WMIC.exe
Token: SeRemoteShutdownPrivilege	3460	WMIC.exe
Token: SeUndockPrivilege	3460	WMIC.exe
Token: SeManageVolumePrivilege	3460	WMIC.exe
Token: 33	3460	WMIC.exe
Token: 34	3460	WMIC.exe
Token: 35	3460	WMIC.exe
Token: 36	3460	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 2224	3884	m)hhm.exe	75
PID 3884 wrote to memory of 2224	3884	m)hhm.exe	75
PID 3884 wrote to memory of 2224	3884	m)hhm.exe	75
PID 3884 wrote to memory of 2812	3884	m)hhm.exe	77
PID 3884 wrote to memory of 2812	3884	m)hhm.exe	77
PID 3884 wrote to memory of 2812	3884	m)hhm.exe	77
PID 3884 wrote to memory of 3960	3884	m)hhm.exe	83
PID 3884 wrote to memory of 3960	3884	m)hhm.exe	83
PID 3884 wrote to memory of 3960	3884	m)hhm.exe	83
PID 3884 wrote to memory of 416	3884	m)hhm.exe	85
PID 3884 wrote to memory of 416	3884	m)hhm.exe	85
PID 3884 wrote to memory of 416	3884	m)hhm.exe	85
PID 416 wrote to memory of 3460	416	cmd.exe	87
PID 416 wrote to memory of 3460	416	cmd.exe	87
PID 416 wrote to memory of 3460	416	cmd.exe	87
PID 3884 wrote to memory of 1332	3884	m)hhm.exe	88
PID 3884 wrote to memory of 1332	3884	m)hhm.exe	88
PID 3884 wrote to memory of 1332	3884	m)hhm.exe	88
PID 3884 wrote to memory of 3896	3884	m)hhm.exe	90
PID 3884 wrote to memory of 3896	3884	m)hhm.exe	90
PID 3884 wrote to memory of 3896	3884	m)hhm.exe	90
PID 3896 wrote to memory of 2492	3896	cmd.exe	92
PID 3896 wrote to memory of 2492	3896	cmd.exe	92
PID 3896 wrote to memory of 2492	3896	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\m)hhm.exe
"C:\Users\Admin\AppData\Local\Temp\m)hhm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\SysWOW64\cmd.exe
  cmd /C VOL
  2⤵
  PID:2224
- C:\Windows\SysWOW64\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2812
- C:\Windows\SysWOW64\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic logicaldisk get caption,description,drivetype,providername,size"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk get caption,description,drivetype,providername,size
    3⤵
    - Collects information from the system
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe
  2⤵
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Driveupd /d C:\Users\Admin\AppData\Roaming\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3884-2-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads