Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 10:02
Static task
static1
Behavioral task
behavioral1
Sample
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe
Resource
win10v2004-20220414-en
General
-
Target
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe
-
Size
16KB
-
MD5
e14558e702089180c651a530f3d8d491
-
SHA1
ebdbfa5db972920ba262d2698e97aeb7f417b157
-
SHA256
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8
-
SHA512
484dad988ea4d627206767e424fef31c9147aefac60b059a4ba603decfa99876d40e545efcde8fef50711b89e37a9809b7975ad7f09206c7b60e49e283f24d2f
Malware Config
Signatures
-
LoaderBot executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5064-133-0x0000000000EC0000-0x0000000000ECA000-memory.dmp loaderbot -
Drops startup file 1 IoCs
Processes:
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url 4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe" 4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exepid process 5064 4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exepid process 5064 4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exedescription pid process Token: SeDebugPrivilege 5064 4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.execmd.exedescription pid process target process PID 5064 wrote to memory of 4564 5064 4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe cmd.exe PID 5064 wrote to memory of 4564 5064 4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe cmd.exe PID 5064 wrote to memory of 4564 5064 4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe cmd.exe PID 4564 wrote to memory of 1152 4564 cmd.exe schtasks.exe PID 4564 wrote to memory of 1152 4564 cmd.exe schtasks.exe PID 4564 wrote to memory of 1152 4564 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe"C:\Users\Admin\AppData\Local\Temp\4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\4b68a446a8326ccb9adaa3f2bbb7ba5530b4f3b1c08b21be244e06392974fec8.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:1152