490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-07-2022 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe
Size

138KB
MD5

5b1e1e909a6efca6cabc0fad8a0458a6
SHA1

243b45c2f3d4a0dbe53fe3e5884ec72dc2f29664
SHA256

490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1
SHA512

08d5cc20707e673186cb42651c4d3118848a7d4826ae5bc0a690afbb010c00788180d0ea689917d71d922fb73a5a47cd861ed851efd565c1cfbddee5b3e8bf1e

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Zbot Activity Common Download Struct
suricata: ET MALWARE Possible Zbot Activity Common Download Struct
suricata
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
suricata

Executes dropped EXE 1 IoCs

pid	Process
1644	obop.exe

Deletes itself 1 IoCs

pid	Process
1988	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe
2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\Currentversion\Run	obop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F9567DCA-33FF-6CDC-1D46-4BB9E66E2C84} = "C:\\Users\\Admin\\AppData\\Roaming\\Liizn\\obop.exe"	obop.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Privacy	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\31CB40D2-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe
1644	obop.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe
Token: SeSecurityPrivilege	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe
Token: SeSecurityPrivilege	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe
Token: SeManageVolumePrivilege	772	WinMail.exe
Token: SeSecurityPrivilege	1988	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
772	WinMail.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1644	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	28
PID 2004 wrote to memory of 1644	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	28
PID 2004 wrote to memory of 1644	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	28
PID 2004 wrote to memory of 1644	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	28
PID 1644 wrote to memory of 1248	1644	obop.exe	10
PID 1644 wrote to memory of 1248	1644	obop.exe	10
PID 1644 wrote to memory of 1248	1644	obop.exe	10
PID 1644 wrote to memory of 1248	1644	obop.exe	10
PID 1644 wrote to memory of 1248	1644	obop.exe	10
PID 1644 wrote to memory of 1332	1644	obop.exe	18
PID 1644 wrote to memory of 1332	1644	obop.exe	18
PID 1644 wrote to memory of 1332	1644	obop.exe	18
PID 1644 wrote to memory of 1332	1644	obop.exe	18
PID 1644 wrote to memory of 1332	1644	obop.exe	18
PID 1644 wrote to memory of 1384	1644	obop.exe	17
PID 1644 wrote to memory of 1384	1644	obop.exe	17
PID 1644 wrote to memory of 1384	1644	obop.exe	17
PID 1644 wrote to memory of 1384	1644	obop.exe	17
PID 1644 wrote to memory of 1384	1644	obop.exe	17
PID 1644 wrote to memory of 2004	1644	obop.exe	27
PID 1644 wrote to memory of 2004	1644	obop.exe	27
PID 1644 wrote to memory of 2004	1644	obop.exe	27
PID 1644 wrote to memory of 2004	1644	obop.exe	27
PID 1644 wrote to memory of 2004	1644	obop.exe	27
PID 1644 wrote to memory of 772	1644	obop.exe	29
PID 1644 wrote to memory of 772	1644	obop.exe	29
PID 1644 wrote to memory of 772	1644	obop.exe	29
PID 1644 wrote to memory of 772	1644	obop.exe	29
PID 1644 wrote to memory of 772	1644	obop.exe	29
PID 2004 wrote to memory of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30
PID 2004 wrote to memory of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30
PID 2004 wrote to memory of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30
PID 2004 wrote to memory of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30
PID 2004 wrote to memory of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30
PID 2004 wrote to memory of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30
PID 2004 wrote to memory of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30
PID 2004 wrote to memory of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30
PID 2004 wrote to memory of 1988	2004	490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe	30
PID 1644 wrote to memory of 1504	1644	obop.exe	31
PID 1644 wrote to memory of 1504	1644	obop.exe	31
PID 1644 wrote to memory of 1504	1644	obop.exe	31
PID 1644 wrote to memory of 1504	1644	obop.exe	31
PID 1644 wrote to memory of 1504	1644	obop.exe	31
PID 1644 wrote to memory of 1172	1644	obop.exe	32
PID 1644 wrote to memory of 1172	1644	obop.exe	32
PID 1644 wrote to memory of 1172	1644	obop.exe	32
PID 1644 wrote to memory of 1172	1644	obop.exe	32
PID 1644 wrote to memory of 1172	1644	obop.exe	32
PID 1644 wrote to memory of 1620	1644	obop.exe	33
PID 1644 wrote to memory of 1620	1644	obop.exe	33
PID 1644 wrote to memory of 1620	1644	obop.exe	33
PID 1644 wrote to memory of 1620	1644	obop.exe	33
PID 1644 wrote to memory of 1620	1644	obop.exe	33
PID 1644 wrote to memory of 828	1644	obop.exe	34
PID 1644 wrote to memory of 828	1644	obop.exe	34
PID 1644 wrote to memory of 828	1644	obop.exe	34
PID 1644 wrote to memory of 828	1644	obop.exe	34
PID 1644 wrote to memory of 828	1644	obop.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe
  "C:\Users\Admin\AppData\Local\Temp\490aeb8ce4b544f6edbf0f6c84bb808fb3023b9f7f8283cb101b82783b36cce1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Roaming\Liizn\obop.exe
    "C:\Users\Admin\AppData\Roaming\Liizn\obop.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4bf33b6a.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:1988

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "138770368-17437401971298277011-161541958813001691381084603803-1600022563-1331766389"
1⤵
PID:1504

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1172

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4bf33b6a.bat

Filesize
307B

MD5
9bb3c558d814d0b2bd618df87497dc80

SHA1
a750f9116572df67d167a9ec2470c61a4c4a08e8

SHA256
3733eed6ab21f4dbdce6fdc987d5e89c7d76561fb197e6c8d7ddcb4e3b1c7508

SHA512
083e7f2e71beec1dc3985d0d9b12f6d5b40ae1a6c7648af52e4b01b0ae798fe8a7a7ebe48c86c1e8cf6d196e3b373f5e09e9d21030e4c2f118cbcb9a55b5280c

Download Submit
C:\Users\Admin\AppData\Roaming\Apet\yngyi.uma

Filesize
398B

MD5
48ac1f2f028ba784e5bae0d0581669fe

SHA1
fd1a9facc4d6750ab1043e8ca90b1204b01676c8

SHA256
a1954b9f1de9400aaaa99cfae3ca555cd4012b05d6c03370c373c2e9f19356a2

SHA512
c3b46eb9bac040e28ae014047100b334667fec90a294dab5ebbec0409166ff98af86dd5e16c115dc5d4b89b9e3f60cd800840fdae6af45b3b0129a807ef1fad1

Download Submit
C:\Users\Admin\AppData\Roaming\Liizn\obop.exe

Filesize
138KB

MD5
6cd9d6a290f6a42b4f7715b1e399a8b4

SHA1
c2d7d21fa227262810ded8dd48b22cf62f86364e

SHA256
1c57e2620afedd8080ab7e1c501ff7e0cf1ac7d113dc293746018c74b9a68dce

SHA512
1beef4de29a6080d08624a85ebad34a6523cef3bb02945b80d7301e372c7a0e0d3095c2c431627e0ad21463e1cffee6542e1f52638b17681f128a4e14c94ea07

Download Submit
C:\Users\Admin\AppData\Roaming\Liizn\obop.exe

Filesize
138KB

MD5
6cd9d6a290f6a42b4f7715b1e399a8b4

SHA1
c2d7d21fa227262810ded8dd48b22cf62f86364e

SHA256
1c57e2620afedd8080ab7e1c501ff7e0cf1ac7d113dc293746018c74b9a68dce

SHA512
1beef4de29a6080d08624a85ebad34a6523cef3bb02945b80d7301e372c7a0e0d3095c2c431627e0ad21463e1cffee6542e1f52638b17681f128a4e14c94ea07

Download Submit
\Users\Admin\AppData\Roaming\Liizn\obop.exe

Filesize
138KB

MD5
6cd9d6a290f6a42b4f7715b1e399a8b4

SHA1
c2d7d21fa227262810ded8dd48b22cf62f86364e

SHA256
1c57e2620afedd8080ab7e1c501ff7e0cf1ac7d113dc293746018c74b9a68dce

SHA512
1beef4de29a6080d08624a85ebad34a6523cef3bb02945b80d7301e372c7a0e0d3095c2c431627e0ad21463e1cffee6542e1f52638b17681f128a4e14c94ea07

Download Submit
\Users\Admin\AppData\Roaming\Liizn\obop.exe

Filesize
138KB

MD5
6cd9d6a290f6a42b4f7715b1e399a8b4

SHA1
c2d7d21fa227262810ded8dd48b22cf62f86364e

SHA256
1c57e2620afedd8080ab7e1c501ff7e0cf1ac7d113dc293746018c74b9a68dce

SHA512
1beef4de29a6080d08624a85ebad34a6523cef3bb02945b80d7301e372c7a0e0d3095c2c431627e0ad21463e1cffee6542e1f52638b17681f128a4e14c94ea07

Download Submit
memory/772-103-0x00000000040B0000-0x00000000040D7000-memory.dmp

Filesize
156KB

Download
memory/772-105-0x00000000040B0000-0x00000000040D7000-memory.dmp

Filesize
156KB

Download
memory/772-104-0x00000000040B0000-0x00000000040D7000-memory.dmp

Filesize
156KB

Download
memory/772-102-0x00000000040B0000-0x00000000040D7000-memory.dmp

Filesize
156KB

Download
memory/772-93-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/772-87-0x0000000001F50000-0x0000000001F60000-memory.dmp

Filesize
64KB

Download
memory/772-86-0x000007FEF6541000-0x000007FEF6543000-memory.dmp

Filesize
8KB

Download
memory/772-85-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1172-125-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1172-126-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1248-65-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1248-66-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1248-61-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1248-63-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1248-64-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1332-71-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1332-72-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1332-70-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1332-69-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1384-77-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1384-75-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1384-76-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1384-78-0x00000000029D0000-0x00000000029F7000-memory.dmp

Filesize
156KB

Download
memory/1504-122-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1504-121-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1504-120-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1504-119-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1988-110-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1988-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1988-113-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1988-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1988-108-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2004-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/2004-99-0x0000000001DE0000-0x0000000001E07000-memory.dmp

Filesize
156KB

Download
memory/2004-83-0x0000000001DE0000-0x0000000001E07000-memory.dmp

Filesize
156KB

Download
memory/2004-84-0x0000000001DE0000-0x0000000001E07000-memory.dmp

Filesize
156KB

Download
memory/2004-82-0x0000000001DE0000-0x0000000001E07000-memory.dmp

Filesize
156KB

Download
memory/2004-81-0x0000000001DE0000-0x0000000001E07000-memory.dmp

Filesize
156KB

Download