Analysis
-
max time kernel
668s -
max time network
843s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 09:39
Static task
static1
Behavioral task
behavioral1
Sample
becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe
-
Size
146KB
-
MD5
d93ca01a4515732a6a54df0a391c93e3
-
SHA1
ba31585616c3640a434c4c29193f0f89e8306485
-
SHA256
becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962
-
SHA512
3e9c52c04cf37250e8d4e0e3a17cc27e17a1ff19c4935a788b77dafea28bd6ec0a514bdbe4073845c31559652c039f88f811b24020044c0b0e0c47f1cb9ac2e0
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
-pit14
Campaign
web7-pit14
C2
https://45.72.3.132/web7643/gate.php
rc4.plain
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
msiexec.exeflow pid process 22 4532 msiexec.exe 23 4532 msiexec.exe 26 4532 msiexec.exe 27 4532 msiexec.exe 28 4532 msiexec.exe 29 4532 msiexec.exe 30 4532 msiexec.exe 31 4532 msiexec.exe 32 4532 msiexec.exe 33 4532 msiexec.exe 34 4532 msiexec.exe 35 4532 msiexec.exe 36 4532 msiexec.exe 37 4532 msiexec.exe 38 4532 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gaabace = "C:\\Users\\Admin\\AppData\\Roaming\\Afah\\bybiecyf.exe" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exedescription pid process target process PID 2192 set thread context of 4532 2192 becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 4532 msiexec.exe Token: SeSecurityPrivilege 4532 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exedescription pid process target process PID 2192 wrote to memory of 4532 2192 becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe msiexec.exe PID 2192 wrote to memory of 4532 2192 becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe msiexec.exe PID 2192 wrote to memory of 4532 2192 becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe msiexec.exe PID 2192 wrote to memory of 4532 2192 becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe msiexec.exe PID 2192 wrote to memory of 4532 2192 becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\becacb52a50004d42538cfe82c8f527f1793727c5f679f46df7f96eade272962.bin.sample.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4532-115-0x00000000004E0000-0x000000000050A000-memory.dmpFilesize
168KB
-
memory/4532-116-0x0000000000000000-mapping.dmp
-
memory/4532-118-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4532-117-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4532-119-0x00000000004E0000-0x000000000050A000-memory.dmpFilesize
168KB