plaguebot | 81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-10-2022 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe
Size

967KB
MD5

b03ccade490854df220914c4430967e2
SHA1

1911a59e8c4b427d3fbc8fc9c794886bd2d81305
SHA256

81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961
SHA512

0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36
SSDEEP

24576:xNxsglIPAtgV+rnEQBg2AdqgwGd9OCPltP0gxkR3dCqJO5VxQ75Sf1:57uKrnEQi2Ad/wQPLP0gx1qt5Sf1

Score

10^/10

plaguebot botnet

Malware Config

Signatures

PlagueBot
PlagueBot is an open source Bot written in Pascal.
botnet plaguebot

PlagueBot Executable 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012744-58.dat	plaguebot
behavioral1/files/0x0009000000012744-59.dat	plaguebot
behavioral1/files/0x0009000000012744-61.dat	plaguebot
behavioral1/files/0x0009000000012744-63.dat	plaguebot
behavioral1/files/0x0009000000012744-65.dat	plaguebot

Executes dropped EXE 2 IoCs

pid	Process
1244	winmgr.exe
1688	winmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe
360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
288	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
572	timeout.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 288	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	27
PID 360 wrote to memory of 288	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	27
PID 360 wrote to memory of 288	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	27
PID 360 wrote to memory of 288	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	27
PID 360 wrote to memory of 956	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	29
PID 360 wrote to memory of 956	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	29
PID 360 wrote to memory of 956	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	29
PID 360 wrote to memory of 956	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	29
PID 360 wrote to memory of 1244	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	31
PID 360 wrote to memory of 1244	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	31
PID 360 wrote to memory of 1244	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	31
PID 360 wrote to memory of 1244	360	146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe	31
PID 324 wrote to memory of 1688	324	taskeng.exe	34
PID 324 wrote to memory of 1688	324	taskeng.exe	34
PID 324 wrote to memory of 1688	324	taskeng.exe	34
PID 324 wrote to memory of 1688	324	taskeng.exe	34
PID 1244 wrote to memory of 608	1244	winmgr.exe	35
PID 1244 wrote to memory of 608	1244	winmgr.exe	35
PID 1244 wrote to memory of 608	1244	winmgr.exe	35
PID 1244 wrote to memory of 608	1244	winmgr.exe	35
PID 1244 wrote to memory of 556	1244	winmgr.exe	37
PID 1244 wrote to memory of 556	1244	winmgr.exe	37
PID 1244 wrote to memory of 556	1244	winmgr.exe	37
PID 1244 wrote to memory of 556	1244	winmgr.exe	37
PID 556 wrote to memory of 572	556	cmd.exe	39
PID 556 wrote to memory of 572	556	cmd.exe	39
PID 556 wrote to memory of 572	556	cmd.exe	39
PID 556 wrote to memory of 572	556	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe
"C:\Users\Admin\AppData\Local\Temp\146.70.143.176_-_MAL_-_Server.exe___b03ccade490854df220914c4430967e2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:360
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
  2⤵
  - Creates scheduled task(s)
  PID:288
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Query /FO "LIST" /TN "WinManager"
  2⤵
  PID:956
- C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
  "C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe" /wait
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /F /TN "WinManager"
    3⤵
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C timeout 5 & del /F /Q "C:\Users\Admin\AppData\Roaming\discordnitro\*.*" & rmdir "C:\Users\Admin\AppData\Roaming\discordnitro"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:572

C:\Windows\system32\taskeng.exe
taskeng.exe {793D357F-EAC1-4A68-B8E6-A153F6A8200D} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
  C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
  2⤵
  - Executes dropped EXE
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NewTask.xml

Filesize
1KB

MD5
a34897a7e0a00c1dcbeac116606af248

SHA1
3a941c98a33853976d8b6697e8a33cc9bed56e78

SHA256
cd527546a9c50c9081cc30dee45db0a496242363cd4212bce5930e4318327f29

SHA512
364ce0e2525f915c4ca4fe9cacf6dcd3160da814370db54bfd9756cc750b6295f19d72d0f15f658bc0b211b1bce5e4b2664d13990cea1ad51535d4bc9366310a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe

Filesize
967KB

MD5
b63bb68654e7be72058398809d6c4754

SHA1
4a7b43488029a2d4c960c9ee4431b99c8640a4b0

SHA256
8db43542d501e7d65d0f1db96785d875bc7da5a51a76ae943fcd3222b66412fe

SHA512
c67280896aa63894933a6058d17a2eb9cea484f5293c095704baaf9f177d9e2779951d803548294584070eb95a3428b52eec9fd5fc1a7da74a6305e7c496e48a

Download Submit
memory/360-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads