Analysis
-
max time kernel
15s -
max time network
90s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 18:55
Static task
static1
Behavioral task
behavioral1
Sample
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe
Resource
win10v2004-20220414-en
General
-
Target
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe
-
Size
16KB
-
MD5
898f759e2ce84b634c113c4fdac2dcf7
-
SHA1
7e779e940eec53d7152c3f70922543cc43d9a172
-
SHA256
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80
-
SHA512
396d32ec522bee3c65f6555d058b8fe325919ff1b74fdd5bf29b830dbca8c91697dd5cecb09c83a6a6a3e3127dd0a6b830537bf2f983080376965292597980da
Malware Config
Signatures
-
LoaderBot executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2892-130-0x0000000000060000-0x000000000006A000-memory.dmp loaderbot -
Drops startup file 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe" 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exepid process 2892 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exepid process 2892 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exedescription pid process Token: SeDebugPrivilege 2892 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.execmd.exedescription pid process target process PID 2892 wrote to memory of 4568 2892 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe cmd.exe PID 2892 wrote to memory of 4568 2892 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe cmd.exe PID 2892 wrote to memory of 4568 2892 3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe cmd.exe PID 4568 wrote to memory of 3004 4568 cmd.exe schtasks.exe PID 4568 wrote to memory of 3004 4568 cmd.exe schtasks.exe PID 4568 wrote to memory of 3004 4568 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe"C:\Users\Admin\AppData\Local\Temp\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4568
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\3fcf361ce3e433b48fcbaf5a6f3744856771e6c52079b0d38a582671b7c0af80.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f1⤵
- Creates scheduled task(s)
PID:3004