Overview

overview

10

Static

static

10

b2f165d8f2...5a.exe

windows7_x64

10

b2f165d8f2...5a.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    05-08-2021 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2f165d8f2b8e90de7618bbd960e2e73900bc7d191590b89d4d833dab8f5475a.exe

  • Size

    971KB

  • MD5

    7c287d9064703d731bd8abd737129b91

  • SHA1

    ef04b7b7e6e0817ec36d5f7bf96912a1cdd9a5c1

  • SHA256

    b2f165d8f2b8e90de7618bbd960e2e73900bc7d191590b89d4d833dab8f5475a

  • SHA512

    a78555736bac0eccfe199271be92d34ff0c533b88fce950740dc142db18436400d9418c16f5d11b92d3dbc9660c26fe8a133c2fe465ba2cad11152ba3d873be7

Score
10/10
plaguebotbotnet

Malware Config

Signatures

  • PlagueBot

    PlagueBot is an open source Bot written in Pascal.

    botnetplaguebot
  • PlagueBot Executable 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2f165d8f2b8e90de7618bbd960e2e73900bc7d191590b89d4d833dab8f5475a.exe
    "C:\Users\Admin\AppData\Local\Temp\b2f165d8f2b8e90de7618bbd960e2e73900bc7d191590b89d4d833dab8f5475a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
      2⤵
      • Creates scheduled task(s)
      PID:1212
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Query /FO "LIST" /TN "WinManager"
      2⤵
        PID:1972
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Windows\svchost
        2⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Windows\svchost"
          3⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1432
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {C00F3297-C888-4D40-866D-C1ADB27F04CD} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:292
      • C:\Users\Admin\AppData\Roaming\Windows\svchost
        C:\Users\Admin\AppData\Roaming\Windows\svchost
        2⤵
        • Executes dropped EXE
        PID:644

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1076-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

      Filesize

      8KB

      Download