Overview

overview

10

Static

static

10

146.70.143...e2.exe

windows7-x64

10

146.70.143...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-10-2022 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe

  • Size

    967KB

  • MD5

    b03ccade490854df220914c4430967e2

  • SHA1

    1911a59e8c4b427d3fbc8fc9c794886bd2d81305

  • SHA256

    81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

  • SHA512

    0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

  • SSDEEP

    24576:xNxsglIPAtgV+rnEQBg2AdqgwGd9OCPltP0gxkR3dCqJO5VxQ75Sf1:57uKrnEQi2Ad/wQPLP0gx1qt5Sf1

Score
10/10
plaguebotbotnet

Malware Config

Signatures

  • PlagueBot

    PlagueBot is an open source Bot written in Pascal.

    botnetplaguebot
  • PlagueBot Executable 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe
    "C:\Users\Admin\AppData\Local\Temp\146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
      2⤵
      • Creates scheduled task(s)
      PID:288
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /Query /FO "LIST" /TN "WinManager"
      2⤵
        PID:956
      • C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
        "C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe" /wait
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Delete /F /TN "WinManager"
          3⤵
            PID:608
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C timeout 5 & del /F /Q "C:\Users\Admin\AppData\Roaming\discordnitro\*.*" & rmdir "C:\Users\Admin\AppData\Roaming\discordnitro"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:556
            • C:\Windows\SysWOW64\timeout.exe
              timeout 5
              4⤵
              • Delays execution with timeout.exe
              PID:572
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {793D357F-EAC1-4A68-B8E6-A153F6A8200D} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:324
        • C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
          C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
          2⤵
          • Executes dropped EXE
          PID:1688

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\NewTask.xml
        Filesize

        1KB

        MD5

        a34897a7e0a00c1dcbeac116606af248

        SHA1

        3a941c98a33853976d8b6697e8a33cc9bed56e78

        SHA256

        cd527546a9c50c9081cc30dee45db0a496242363cd4212bce5930e4318327f29

        SHA512

        364ce0e2525f915c4ca4fe9cacf6dcd3160da814370db54bfd9756cc750b6295f19d72d0f15f658bc0b211b1bce5e4b2664d13990cea1ad51535d4bc9366310a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
        Filesize

        967KB

        MD5

        b63bb68654e7be72058398809d6c4754

        SHA1

        4a7b43488029a2d4c960c9ee4431b99c8640a4b0

        SHA256

        8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

        SHA512

        c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
        Filesize

        967KB

        MD5

        b63bb68654e7be72058398809d6c4754

        SHA1

        4a7b43488029a2d4c960c9ee4431b99c8640a4b0

        SHA256

        8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

        SHA512

        c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
        Filesize

        967KB

        MD5

        b63bb68654e7be72058398809d6c4754

        SHA1

        4a7b43488029a2d4c960c9ee4431b99c8640a4b0

        SHA256

        8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

        SHA512

        c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

        Download Submit
      • \Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
        Filesize

        967KB

        MD5

        b63bb68654e7be72058398809d6c4754

        SHA1

        4a7b43488029a2d4c960c9ee4431b99c8640a4b0

        SHA256

        8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

        SHA512

        c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

        Download Submit
      • \Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
        Filesize

        967KB

        MD5

        b63bb68654e7be72058398809d6c4754

        SHA1

        4a7b43488029a2d4c960c9ee4431b99c8640a4b0

        SHA256

        8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

        SHA512

        c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

        Download Submit
      • memory/288-55-0x0000000000000000-mapping.dmp
        Download
      • memory/360-54-0x0000000075771000-0x0000000075773000-memory.dmp
        Filesize

        8KB

        Download
      • memory/556-68-0x0000000000000000-mapping.dmp
        Download
      • memory/572-69-0x0000000000000000-mapping.dmp
        Download
      • memory/608-67-0x0000000000000000-mapping.dmp
        Download
      • memory/956-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1244-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1688-64-0x0000000000000000-mapping.dmp
        Download