Overview

overview

10

Static

static

3

c4bd87c328...3e.exe

windows7-x64

10

c4bd87c328...3e.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-03-2024 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4bd87c3284cab7b4a4d4039af0f933e.exe

  • Size

    428KB

  • MD5

    c4bd87c3284cab7b4a4d4039af0f933e

  • SHA1

    f99fbf47be97d05942aaa7de443ee60d1fde7c30

  • SHA256

    55caca52abf37a49b12a02e66216185dce838bb0222921647148ee495c1d1c08

  • SHA512

    8d8ba14128507d03cf67c88b676763038bb631579ba981ba43e83e807c6250ea6ca3e5d1db30f2e4162515236b0f4940a08100b511a78ccced8506d11ae6accd

  • SSDEEP

    12288:B7tb3KcX80ljcF82LnZ84bd4zRrnKorz:dtmOjYZdbdilj

Score
10/10
latentbotevasionpersistencetrojan

Malware Config

Extracted

Family

latentbot

C2

cheloulenoir.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Modifies firewall policy service 2 TTPs 8 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4bd87c3284cab7b4a4d4039af0f933e.exe
    "C:\Users\Admin\AppData\Local\Temp\c4bd87c3284cab7b4a4d4039af0f933e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe
      "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Users\Admin\AppData\Roaming\WinSec.exe
        C:\Users\Admin\AppData\Roaming\WinSec.exe
        3⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2552
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2912
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2964
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • Modifies registry key
            PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe
    Filesize

    201KB

    MD5

    177b01b99483b011b36d02dea2308802

    SHA1

    9b93fa106372290608abbf2173a6633020a96a8a

    SHA256

    ac8f61ad831b864fc4d640b91a2d34ada2bbd427ef1b194d492c842aac5be436

    SHA512

    974baaa2b02acffaf830d486ae17e5bbc1cf0d90b366274121fc5b0584fd4a69ede6fe48b0e266060a2989fd3e166a75da8166975f23648df4725acba3f873b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe
    Filesize

    276KB

    MD5

    441d047bd699525d4e3268e25e16e1b8

    SHA1

    65d9070ef5ba0f8dea0face8f3a2c8525111d63e

    SHA256

    cbbf088b87bb798c35e955281026571835656d25c75aa6a994b9fb89e6070bfe

    SHA512

    3717bcf2e929da78b8b1b62e78f81a7171c050ea0fa948f587a7a2ab02a32446d573c613f019df6206461aa7fdc6b4b6fc15a0ce9f58a5438e0b319ed46d7a28

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe
    Filesize

    246KB

    MD5

    f057bb208b4b9579cb95057086f879c0

    SHA1

    7f12a87b2f68d8225b53b4b6f4a4aa8078ecb2ad

    SHA256

    55d08fcff3ab06454977eee3ccb99289e6997c1a36dda655dad28746d6028d3c

    SHA512

    cd48f9c4c027796cd94eaa0569a9e370c05b8f830ae6f054b09ee4349d49d53c4d8c79eeded589ff1d3b9aefde0c93d245d62e66a5bd573bf39bd8ac2036e0ce

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSec.exe
    Filesize

    31KB

    MD5

    ed797d8dc2c92401985d162e42ffa450

    SHA1

    0f02fc517c7facc4baefde4fe9467fb6488ebabe

    SHA256

    b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

    SHA512

    e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

    Download Submit
  • \Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe
    Filesize

    241KB

    MD5

    5016b56e31f32d5835649a98f0254e50

    SHA1

    b6960442a922b75c95d5d4b3260ca59b5d19c314

    SHA256

    728a9da9f1f3c4f61fd3be137e4bbd87975c18d49fa36f61b8e5b091ff3c5a7c

    SHA512

    6d4fde0271f37858057e4bc7536dc6166cd0ab3842ddf23734a7ce2b56e8fcb30cae45d3d72697398771a07481d0bbdbae620bfa347cda822ad671cf7cd8f182

    Download Submit
  • memory/1760-15-0x0000000074C50000-0x00000000751FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1760-18-0x0000000000260000-0x00000000002A0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1760-19-0x0000000074C50000-0x00000000751FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1760-39-0x0000000074C50000-0x00000000751FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2060-0-0x0000000074C50000-0x00000000751FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2060-14-0x0000000074C50000-0x00000000751FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2060-2-0x0000000074C50000-0x00000000751FB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2060-1-0x0000000000CA0000-0x0000000000CE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2644-27-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-48-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2644-23-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-33-0x0000000000020000-0x0000000000021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2644-25-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-45-0x0000000077BA1000-0x0000000077BA2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2644-46-0x0000000075AB0000-0x0000000075B50000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2644-44-0x0000000075790000-0x00000000758A0000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2644-47-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-49-0x0000000075790000-0x00000000758A0000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2644-30-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-51-0x0000000075AB0000-0x0000000075B50000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2644-54-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-55-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-57-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-58-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-59-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-63-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-66-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2644-67-0x0000000000400000-0x0000000000470000-memory.dmp
    Filesize

    448KB

    Download