Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-02-2021 16:42
Static task
static1
Behavioral task
behavioral1
Sample
05a1103b03aec2005386119fd29cedf8.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
05a1103b03aec2005386119fd29cedf8.exe
-
Size
250KB
-
MD5
05a1103b03aec2005386119fd29cedf8
-
SHA1
455e579b34f9607d21b6195644b756ffb09a53a6
-
SHA256
141b78ce7b21a31bffc8a05311d96b8347aca36a69fa4768f8a32fae2ce12b8b
-
SHA512
22f88654f41414367e23d14eefe7f3caa88ae432216f85d9d4d3a82fce1c428917bfe60c12d15268d72347c6ce1887a3263bb28416c04c255d270531bd0ef711
Malware Config
Extracted
Family
gootkit
Botnet
777
C2
madregobilsg.com
kerymarynicegross.com
pillygreamstronh.com
charnchiumbong.com
kiwimujirahdron.com
Attributes
-
vendor_id
777
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
05a1103b03aec2005386119fd29cedf8.exe05a1103b03aec2005386119fd29cedf8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05a1103b03aec2005386119fd29cedf8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05a1103b03aec2005386119fd29cedf8.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
Processes:
05a1103b03aec2005386119fd29cedf8.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3" 05a1103b03aec2005386119fd29cedf8.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" 05a1103b03aec2005386119fd29cedf8.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" 05a1103b03aec2005386119fd29cedf8.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" 05a1103b03aec2005386119fd29cedf8.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" 05a1103b03aec2005386119fd29cedf8.exe -
Suspicious behavior: EnumeratesProcesses 6428 IoCs
Processes:
05a1103b03aec2005386119fd29cedf8.exepid process 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe 4772 05a1103b03aec2005386119fd29cedf8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
05a1103b03aec2005386119fd29cedf8.exedescription pid process target process PID 4772 wrote to memory of 1868 4772 05a1103b03aec2005386119fd29cedf8.exe 05a1103b03aec2005386119fd29cedf8.exe PID 4772 wrote to memory of 1868 4772 05a1103b03aec2005386119fd29cedf8.exe 05a1103b03aec2005386119fd29cedf8.exe PID 4772 wrote to memory of 1868 4772 05a1103b03aec2005386119fd29cedf8.exe 05a1103b03aec2005386119fd29cedf8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a1103b03aec2005386119fd29cedf8.exe"C:\Users\Admin\AppData\Local\Temp\05a1103b03aec2005386119fd29cedf8.exe"1⤵
- Checks BIOS information in registry
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\05a1103b03aec2005386119fd29cedf8.exeC:\Users\Admin\AppData\Local\Temp\05a1103b03aec2005386119fd29cedf8.exe --vwxyz2⤵
- Checks BIOS information in registry
PID:1868
-