Analysis
-
max time kernel
70s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 10:13
Static task
static1
Behavioral task
behavioral1
Sample
6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe
Resource
win7-20220414-en
General
-
Target
6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe
-
Size
282KB
-
MD5
24a14eb9657fff6c151b279556cba1f0
-
SHA1
843624d36b63100beb5bc05e4ddec5659317eb9d
-
SHA256
6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141
-
SHA512
30043da4f8aa33085f2d8238d7151c06f74c8376a3bc2f9deba492e2692d3ed79b7737f416eed11fed9f40d273f84917717b7ecfa745b4fb30274c689664f024
Malware Config
Extracted
zloader
r2
r2
https://notsweets.net/LKhwojehDgwegSDG/gateJKjdsh.php
https://olpons.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://karamelliar.org/LKhwojehDgwegSDG/gateJKjdsh.php
https://dogrunn.com/LKhwojehDgwegSDG/gateJKjdsh.php
https://azoraz.net/LKhwojehDgwegSDG/gateJKjdsh.php
-
build_id
136
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exedescription pid process target process PID 1572 created 2432 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe Explorer.EXE -
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
-
Blocklisted process makes network request 5 IoCs
Processes:
msiexec.exeflow pid process 16 1248 msiexec.exe 18 1248 msiexec.exe 23 1248 msiexec.exe 25 1248 msiexec.exe 27 1248 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exedescription pid process target process PID 1572 set thread context of 1248 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe msiexec.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2068 1572 WerFault.exe 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exepid process 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe Token: SeSecurityPrivilege 1248 msiexec.exe Token: SeSecurityPrivilege 1248 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exedescription pid process target process PID 1572 wrote to memory of 1248 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe msiexec.exe PID 1572 wrote to memory of 1248 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe msiexec.exe PID 1572 wrote to memory of 1248 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe msiexec.exe PID 1572 wrote to memory of 1248 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe msiexec.exe PID 1572 wrote to memory of 1248 1572 6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe"C:\Users\Admin\AppData\Local\Temp\6f3d6311fb91f7dea3d8d83833c94ee81b4e936d181619c5c9166f6994532141.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1572 -ip 15721⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1248-133-0x0000000000000000-mapping.dmp
-
memory/1248-134-0x0000000000330000-0x0000000000356000-memory.dmpFilesize
152KB
-
memory/1248-135-0x0000000000330000-0x0000000000356000-memory.dmpFilesize
152KB
-
memory/1572-131-0x0000000000EB0000-0x0000000000ED2000-memory.dmpFilesize
136KB
-
memory/1572-130-0x0000000000FAA000-0x0000000000FC1000-memory.dmpFilesize
92KB
-
memory/1572-132-0x0000000000400000-0x0000000000C20000-memory.dmpFilesize
8.1MB