Analysis
-
max time kernel
7s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 18:55
Static task
static1
Behavioral task
behavioral1
Sample
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe
Resource
win10v2004-20220414-en
General
-
Target
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe
-
Size
16KB
-
MD5
898f759e2ce84b634c113c4fdac2dcf7
-
SHA1
7e779e940eec53d7152c3f70922543cc43d9a172
-
SHA256
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80
-
SHA512
396d32ec522bee3c65f6555d058b8fe325919ff1b74fdd5bf29b830dbca8c91697dd5cecb09c83a6a6a3e3127dd0a6b830537bf2f983080376965292597980da
Malware Config
Signatures
-
LoaderBot executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1656-54-0x00000000013E0000-0x00000000013EA000-memory.dmp loaderbot -
Drops startup file 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe" 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exepid process 1656 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exepid process 1656 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exedescription pid process Token: SeDebugPrivilege 1656 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.execmd.exedescription pid process target process PID 1656 wrote to memory of 1100 1656 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe cmd.exe PID 1656 wrote to memory of 1100 1656 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe cmd.exe PID 1656 wrote to memory of 1100 1656 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe cmd.exe PID 1656 wrote to memory of 1100 1656 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe cmd.exe PID 1100 wrote to memory of 2024 1100 cmd.exe schtasks.exe PID 1100 wrote to memory of 2024 1100 cmd.exe schtasks.exe PID 1100 wrote to memory of 2024 1100 cmd.exe schtasks.exe PID 1100 wrote to memory of 2024 1100 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe"C:\Users\Admin\AppData\Local\Temp\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:2024