plaguebot | cf22a70193e3293853f80838e68f8659ce709a97cd78e0c814b688a0dcc1870d

Analysis

max time kernel
152s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dab82d0b9cec45c1a9ccbc20ff7f3de.exe
Size

967KB
MD5

5dab82d0b9cec45c1a9ccbc20ff7f3de
SHA1

ab04f3d4772a50d43aaecd3d232f762c6dac6812
SHA256

cf22a70193e3293853f80838e68f8659ce709a97cd78e0c814b688a0dcc1870d
SHA512

c4db6b623058c2bdc008e24510f76774a4cde2985e2dd5c31e16059be767c6f05cc70109f67422a58aaa5f00042b8ae7d454d899a702c6e4b026869945dbac6b
SSDEEP

24576:RNxsglIPAtgV+rnEQBg2AdqgwGd9OCPltP0gxkR3dCqJO5VxQ75Sj1:Z7uKrnEQi2Ad/wQPLP0gx1qt5Sj1

Score

10^/10

plaguebot botnet persistence

Malware Config

Signatures

PlagueBot
PlagueBot is an open source Bot written in Pascal.
botnet plaguebot

PlagueBot Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0036000000016cd7-4.dat	plaguebot

Executes dropped EXE 1 IoCs

pid	Process
2672	winmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	5dab82d0b9cec45c1a9ccbc20ff7f3de.exe
2804	5dab82d0b9cec45c1a9ccbc20ff7f3de.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinManager = "C:\\Users\\Admin\\Documents\\neekeriii\\winmgr.exe"	5dab82d0b9cec45c1a9ccbc20ff7f3de.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2672	2804	5dab82d0b9cec45c1a9ccbc20ff7f3de.exe	28
PID 2804 wrote to memory of 2672	2804	5dab82d0b9cec45c1a9ccbc20ff7f3de.exe	28
PID 2804 wrote to memory of 2672	2804	5dab82d0b9cec45c1a9ccbc20ff7f3de.exe	28
PID 2804 wrote to memory of 2672	2804	5dab82d0b9cec45c1a9ccbc20ff7f3de.exe	28

C:\Users\Admin\AppData\Local\Temp\5dab82d0b9cec45c1a9ccbc20ff7f3de.exe
"C:\Users\Admin\AppData\Local\Temp\5dab82d0b9cec45c1a9ccbc20ff7f3de.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\Documents\neekeriii\winmgr.exe
  "C:\Users\Admin\Documents\neekeriii\winmgr.exe" /wait
  2⤵
  - Executes dropped EXE
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\neekeriii\winmgr.exe

Filesize
967KB

MD5
5562214a9410bb1291edeeef54f73c47

SHA1
3147bb4a7a45e27f6dbfa52292c63ef11971d700

SHA256
2a06021e864bb8311926d27b7c66425003efa77068e37cde9773dc10684aeaca

SHA512
663e208a00a54515aa701591d89f6ec522da89f27e745ea67518e11e9665d965046de7cf559ae3f0d077a470bd6f10b131ac05ef16c988f9832c6a59feca1504

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads