Overview

overview

10

Static

static

3

0e76fbd334...67.exe

windows7-x64

10

0e76fbd334...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2023 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e76fbd3344db02ec2de3787c6accb67.exe

  • Size

    341KB

  • MD5

    0e76fbd3344db02ec2de3787c6accb67

  • SHA1

    6740e1ff173a6d2a4e5062c5d7f31dfedf909f3d

  • SHA256

    dac037743fa405688c72c44bd2957b2d0083349b4fb1657ecafeeec89f5202ff

  • SHA512

    5fb6da7c498f954ee77e03f80eb9f6a8a436cc28816ec8f52664671cd95416c7c5dd19f994efa2facbbaea7569e2a3556fdd51de3aaa445671dd6b8041274638

  • SSDEEP

    6144:CgNTmz5KhGX5nAON1F8RqZp5EpmrP7CbKQNMd3P:CgqKhGpnJqipypmrPZUK

Score
10/10
mylobotbotnetpersistence

Malware Config

Extracted

Family

mylobot

C2

op17.ru:6006

eakalra.ru:1281

zgclgdb.ru:8518

hpifnad.ru:3721

lbjcwix.ru:8326

rykacfb.ru:8483

benkofx.ru:3333

fpzskbc.ru:9364

ouxtjzd.ru:8658

schwpxp.ru:2956

pspkgya.ru:2675

lmlwtdm.ru:2768

rzwnsph.ru:5898

awtiwzk.ru:9816

pzljenb.ru:3486

yhjtpyf.ru:3565

ogkbsoq.ru:2553

rjngcbj.ru:5655

jlfeopz.ru:4698

wqcruiz.ru:2165

Signatures

  • Mylobot

    Botnet which first appeared in 2017 written in C++.

    botnetmylobot
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e76fbd3344db02ec2de3787c6accb67.exe
    "C:\Users\Admin\AppData\Local\Temp\0e76fbd3344db02ec2de3787c6accb67.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Users\Admin\AppData\Local\Temp\0e76fbd3344db02ec2de3787c6accb67.exe
      "C:\Users\Admin\AppData\Local\Temp\0e76fbd3344db02ec2de3787c6accb67.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2780
    • C:\Users\Admin\AppData\Local\Temp\0e76fbd3344db02ec2de3787c6accb67.exe
      "C:\Users\Admin\AppData\Local\Temp\0e76fbd3344db02ec2de3787c6accb67.exe"
      2⤵
        PID:2984
      • C:\Users\Admin\AppData\Local\Temp\0e76fbd3344db02ec2de3787c6accb67.exe
        "C:\Users\Admin\AppData\Local\Temp\0e76fbd3344db02ec2de3787c6accb67.exe"
        2⤵
          PID:2848

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\{252C55D0-9114-B3E2-897A-0C466FACDF42}\8893854f.exe
        Filesize

        341KB

        MD5

        0e76fbd3344db02ec2de3787c6accb67

        SHA1

        6740e1ff173a6d2a4e5062c5d7f31dfedf909f3d

        SHA256

        dac037743fa405688c72c44bd2957b2d0083349b4fb1657ecafeeec89f5202ff

        SHA512

        5fb6da7c498f954ee77e03f80eb9f6a8a436cc28816ec8f52664671cd95416c7c5dd19f994efa2facbbaea7569e2a3556fdd51de3aaa445671dd6b8041274638

        Download Submit

      • memory/2552-38-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2552-37-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2552-11-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2552-16-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2552-22-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2552-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2552-34-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2552-46-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2552-1-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2552-4-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2780-44-0x0000000000120000-0x000000000014B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2780-42-0x0000000000120000-0x000000000014B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2780-43-0x0000000000120000-0x000000000014B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2780-40-0x0000000000120000-0x000000000014B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2780-45-0x0000000000120000-0x000000000014B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2780-55-0x0000000000120000-0x000000000014B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/2780-39-0x00000000000C0000-0x0000000000116000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2952-48-0x00000000003F0000-0x00000000003F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2952-0-0x00000000002F0000-0x00000000002F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2984-54-0x00000000001B0000-0x00000000001B1000-memory.dmp

        Filesize

        4KB

        Download