Analysis
-
max time kernel
164s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
submitted
20-07-2022 17:19
Behavioral task
behavioral1
Sample
4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
Resource
win10v2004-20220718-en
General
-
Target
4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
-
Size
16KB
-
MD5
8cf4757166d5ee6296aba9e94ed88577
-
SHA1
aa7d02b4bd307fe30f1b154ba4d840a05a28cebc
-
SHA256
4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f
-
SHA512
93475f842cf9f973a34878c46334b8dd1c83d14f26fc672c99d3f33e4fc3ddc18c77cf2251f0b3c2081d4a3d8ace10beb2e71cee1057e2bab8837d0488d1a002
-
SSDEEP
384:WWxvd9PWblH19GTXjdh0luujYcV6AUwJFZb:WUfeV9AhofYcV6Dw9b
Malware Config
Extracted
loaderbot
http://user80172.7ci.ru/cmd.php
Signatures
-
LoaderBot executable 1 IoCs
resource yara_rule behavioral1/memory/1480-54-0x0000000000F30000-0x0000000000F3A000-memory.dmp loaderbot -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe" 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1488 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1480 wrote to memory of 2044 1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe 27 PID 1480 wrote to memory of 2044 1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe 27 PID 1480 wrote to memory of 2044 1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe 27 PID 1480 wrote to memory of 2044 1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe 27 PID 2044 wrote to memory of 1488 2044 cmd.exe 29 PID 2044 wrote to memory of 1488 2044 cmd.exe 29 PID 2044 wrote to memory of 1488 2044 cmd.exe 29 PID 2044 wrote to memory of 1488 2044 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe"C:\Users\Admin\AppData\Local\Temp\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:1488
-
-