Overview

overview

10

Static

static

3

f391d08d54...57.exe

windows7-x64

10

f391d08d54...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2023, 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f391d08d54d780a6bd967810caf3d649d1dd538db9232ebd3c4a20ea74476b57.exe

  • Size

    176KB

  • MD5

    d9eddda7d5612d8d06f776ad3a7b02d8

  • SHA1

    6668d5182ead5ae508ad9b88315ad5c05ead300f

  • SHA256

    f391d08d54d780a6bd967810caf3d649d1dd538db9232ebd3c4a20ea74476b57

  • SHA512

    01f35c458b8a5c6e3fbc81650877a328142875eac9200404c426c2e7419b2e5cae0ad70591e3ee615902cba9587aac7c7aebeb4d6edbd258c0f631ff525f7e07

  • SSDEEP

    3072:kf5xz1afMRJnVIQJWafmU+qMoDfHHZOSHq8VNb/wddl1Udze1Wigr+:6hrRJnVPfj1MUfZhHq++nUdze4igi

Score
10/10
mylobotbotnetpersistence

Malware Config

Extracted

Family

mylobot

C2

fywkuzp.ru:7432

zdrussle.ru:2173

pseyumd.ru:5492

stydodo.ru:2619

tqzknrx.com:1123

mdcqrxw.com:4984

tpwtgyw.com:9631

cnoyucn.com:9426

qhloury.com:4759

fnjxpwy.com:3863

csxpzlz.com:5778

wlkjopy.com:8778

mynfwwk.com:8427

uuitwxg.com:6656

agnxomu.com:8881

wcagsib.com:3547

fmniltb.com:9582

oapwxiu.com:3922

petrrry.com:7531

poubauo.com:4623

Signatures

  • Mylobot

    Botnet which first appeared in 2017 written in C++.

    botnetmylobot
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f391d08d54d780a6bd967810caf3d649d1dd538db9232ebd3c4a20ea74476b57.exe
    "C:\Users\Admin\AppData\Local\Temp\f391d08d54d780a6bd967810caf3d649d1dd538db9232ebd3c4a20ea74476b57.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Local\Temp\f391d08d54d780a6bd967810caf3d649d1dd538db9232ebd3c4a20ea74476b57.exe
      "C:\Users\Admin\AppData\Local\Temp\f391d08d54d780a6bd967810caf3d649d1dd538db9232ebd3c4a20ea74476b57.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4132
      • C:\Users\Admin\AppData\Roaming\gcvbcvrc\vvivravi.exe
        "C:\Users\Admin\AppData\Roaming\gcvbcvrc\vvivravi.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:692
        • C:\Users\Admin\AppData\Roaming\gcvbcvrc\vvivravi.exe
          "C:\Users\Admin\AppData\Roaming\gcvbcvrc\vvivravi.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1120
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            5⤵
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4872
            • C:\Windows\SysWOW64\notepad.exe
              "C:\Windows\system32\notepad.exe"
              6⤵
                PID:3680
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1284

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\gcvbcvrc\vvivravi.exe
      Filesize

      176KB

      MD5

      d9eddda7d5612d8d06f776ad3a7b02d8

      SHA1

      6668d5182ead5ae508ad9b88315ad5c05ead300f

      SHA256

      f391d08d54d780a6bd967810caf3d649d1dd538db9232ebd3c4a20ea74476b57

      SHA512

      01f35c458b8a5c6e3fbc81650877a328142875eac9200404c426c2e7419b2e5cae0ad70591e3ee615902cba9587aac7c7aebeb4d6edbd258c0f631ff525f7e07

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gcvbcvrc\vvivravi.exe
      Filesize

      176KB

      MD5

      d9eddda7d5612d8d06f776ad3a7b02d8

      SHA1

      6668d5182ead5ae508ad9b88315ad5c05ead300f

      SHA256

      f391d08d54d780a6bd967810caf3d649d1dd538db9232ebd3c4a20ea74476b57

      SHA512

      01f35c458b8a5c6e3fbc81650877a328142875eac9200404c426c2e7419b2e5cae0ad70591e3ee615902cba9587aac7c7aebeb4d6edbd258c0f631ff525f7e07

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gcvbcvrc\vvivravi.exe
      Filesize

      176KB

      MD5

      d9eddda7d5612d8d06f776ad3a7b02d8

      SHA1

      6668d5182ead5ae508ad9b88315ad5c05ead300f

      SHA256

      f391d08d54d780a6bd967810caf3d649d1dd538db9232ebd3c4a20ea74476b57

      SHA512

      01f35c458b8a5c6e3fbc81650877a328142875eac9200404c426c2e7419b2e5cae0ad70591e3ee615902cba9587aac7c7aebeb4d6edbd258c0f631ff525f7e07

      Download Submit

    • memory/1120-151-0x0000000000570000-0x0000000000586000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1284-192-0x000002B22F860000-0x000002B22F861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1284-194-0x000002B22F860000-0x000002B22F861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1284-186-0x000002B22F860000-0x000002B22F861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1284-187-0x000002B22F860000-0x000002B22F861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1284-188-0x000002B22F860000-0x000002B22F861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1284-197-0x000002B22F860000-0x000002B22F861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1284-193-0x000002B22F860000-0x000002B22F861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1284-196-0x000002B22F860000-0x000002B22F861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1284-195-0x000002B22F860000-0x000002B22F861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1900-133-0x0000000000030000-0x0000000000031000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3680-178-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3680-184-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3680-182-0x00000000012E0000-0x00000000012E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4132-142-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4132-134-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4132-136-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4132-144-0x00000000005C0000-0x00000000005D6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4872-149-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4872-174-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4872-172-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4872-169-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4872-166-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4872-165-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4872-163-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4872-160-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4872-159-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4872-155-0x0000000001570000-0x0000000001571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4872-153-0x0000000001550000-0x0000000001565000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4872-152-0x0000000001550000-0x0000000001565000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4872-150-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

      Filesize

      4KB

      Download