Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows7_x64 -
resource
win7 -
submitted
02-07-2020 16:16
Static task
static1
Behavioral task
behavioral1
Sample
tfR5r4pw.dll
Resource
win7
General
-
Target
tfR5r4pw.dll
-
Size
634KB
-
MD5
004d3ff1fe0ec1d0a90913f1238f293f
-
SHA1
fe3a1f35f5c21ce72a1ef05cbf2824a51827a5f2
-
SHA256
3dd800b875aa0ef2fa0923babdd4b162555a1c3ff3c58e9291d45fff82389816
-
SHA512
d8ad97df2d05d9ab88ed3e96e2e7c24efb57ec090737943f52548b1c39e2de9eaf270e20baa0728a31ffdc8745444abf18c07dbca4cce3f3a553c0709d8693ea
Malware Config
Extracted
zloader
nut
02/07
https://tedxminna.com/wp-parsing.php
https://roeslidegeralic.gq/wp-parsing.php
https://tccgroup.com.tw/wp-parsing.php
https://marufait.com/wp-parsing.php
https://blackandprecious.com/wp-parsing.php
https://resources.digilentinc.com/wp-parsing.php
https://phywebtmoonsthevil.gq/wp-parsing.php
https://ews.asia/wp-parsing.php
https://ews1.icu/wp-parsing.php
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1552 created 1228 1552 rundll32.exe Explorer.EXE -
Blacklisted process makes network request 64 IoCs
Processes:
msiexec.exeflow pid process 6 1884 msiexec.exe 7 1884 msiexec.exe 8 1884 msiexec.exe 9 1884 msiexec.exe 10 1884 msiexec.exe 11 1884 msiexec.exe 12 1884 msiexec.exe 13 1884 msiexec.exe 14 1884 msiexec.exe 15 1884 msiexec.exe 16 1884 msiexec.exe 17 1884 msiexec.exe 18 1884 msiexec.exe 19 1884 msiexec.exe 20 1884 msiexec.exe 21 1884 msiexec.exe 22 1884 msiexec.exe 23 1884 msiexec.exe 24 1884 msiexec.exe 25 1884 msiexec.exe 26 1884 msiexec.exe 28 1884 msiexec.exe 29 1884 msiexec.exe 30 1884 msiexec.exe 32 1884 msiexec.exe 33 1884 msiexec.exe 34 1884 msiexec.exe 35 1884 msiexec.exe 36 1884 msiexec.exe 37 1884 msiexec.exe 38 1884 msiexec.exe 39 1884 msiexec.exe 40 1884 msiexec.exe 41 1884 msiexec.exe 42 1884 msiexec.exe 43 1884 msiexec.exe 44 1884 msiexec.exe 45 1884 msiexec.exe 46 1884 msiexec.exe 47 1884 msiexec.exe 48 1884 msiexec.exe 49 1884 msiexec.exe 50 1884 msiexec.exe 51 1884 msiexec.exe 52 1884 msiexec.exe 53 1884 msiexec.exe 54 1884 msiexec.exe 55 1884 msiexec.exe 56 1884 msiexec.exe 57 1884 msiexec.exe 58 1884 msiexec.exe 59 1884 msiexec.exe 60 1884 msiexec.exe 61 1884 msiexec.exe 62 1884 msiexec.exe 63 1884 msiexec.exe 64 1884 msiexec.exe 65 1884 msiexec.exe 66 1884 msiexec.exe 67 1884 msiexec.exe 68 1884 msiexec.exe 69 1884 msiexec.exe 70 1884 msiexec.exe 71 1884 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas ipconfig.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs ipconfig.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1552 set thread context of 1884 1552 rundll32.exe msiexec.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2004 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exemsiexec.exepid process 1552 rundll32.exe 1884 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1552 rundll32.exe Token: SeSecurityPrivilege 1884 msiexec.exe Token: SeSecurityPrivilege 1884 msiexec.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
rundll32.exerundll32.exemsiexec.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1492 wrote to memory of 1552 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 1552 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 1552 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 1552 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 1552 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 1552 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 1552 1492 rundll32.exe rundll32.exe PID 1552 wrote to memory of 1884 1552 rundll32.exe msiexec.exe PID 1552 wrote to memory of 1884 1552 rundll32.exe msiexec.exe PID 1552 wrote to memory of 1884 1552 rundll32.exe msiexec.exe PID 1552 wrote to memory of 1884 1552 rundll32.exe msiexec.exe PID 1552 wrote to memory of 1884 1552 rundll32.exe msiexec.exe PID 1552 wrote to memory of 1884 1552 rundll32.exe msiexec.exe PID 1552 wrote to memory of 1884 1552 rundll32.exe msiexec.exe PID 1552 wrote to memory of 1884 1552 rundll32.exe msiexec.exe PID 1552 wrote to memory of 1884 1552 rundll32.exe msiexec.exe PID 1884 wrote to memory of 2040 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 2040 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 2040 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 2040 1884 msiexec.exe cmd.exe PID 2040 wrote to memory of 2004 2040 cmd.exe ipconfig.exe PID 2040 wrote to memory of 2004 2040 cmd.exe ipconfig.exe PID 2040 wrote to memory of 2004 2040 cmd.exe ipconfig.exe PID 2040 wrote to memory of 2004 2040 cmd.exe ipconfig.exe PID 1884 wrote to memory of 1220 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 1220 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 1220 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 1220 1884 msiexec.exe cmd.exe PID 1220 wrote to memory of 884 1220 cmd.exe net.exe PID 1220 wrote to memory of 884 1220 cmd.exe net.exe PID 1220 wrote to memory of 884 1220 cmd.exe net.exe PID 1220 wrote to memory of 884 1220 cmd.exe net.exe PID 884 wrote to memory of 1264 884 net.exe net1.exe PID 884 wrote to memory of 1264 884 net.exe net1.exe PID 884 wrote to memory of 1264 884 net.exe net1.exe PID 884 wrote to memory of 1264 884 net.exe net1.exe PID 1884 wrote to memory of 1020 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 1020 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 1020 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 1020 1884 msiexec.exe cmd.exe PID 1020 wrote to memory of 760 1020 cmd.exe net.exe PID 1020 wrote to memory of 760 1020 cmd.exe net.exe PID 1020 wrote to memory of 760 1020 cmd.exe net.exe PID 1020 wrote to memory of 760 1020 cmd.exe net.exe PID 1884 wrote to memory of 1408 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 1408 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 1408 1884 msiexec.exe cmd.exe PID 1884 wrote to memory of 1408 1884 msiexec.exe cmd.exe PID 1408 wrote to memory of 1392 1408 cmd.exe net.exe PID 1408 wrote to memory of 1392 1408 cmd.exe net.exe PID 1408 wrote to memory of 1392 1408 cmd.exe net.exe PID 1408 wrote to memory of 1392 1408 cmd.exe net.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tfR5r4pw.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tfR5r4pw.dll,#13⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Modifies service
- Gathers network information
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet config workstation4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all /domain4⤵
- Discovers systems in the same network
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/760-11-0x0000000000000000-mapping.dmp
-
memory/884-8-0x0000000000000000-mapping.dmp
-
memory/1020-10-0x0000000000000000-mapping.dmp
-
memory/1220-7-0x0000000000000000-mapping.dmp
-
memory/1264-9-0x0000000000000000-mapping.dmp
-
memory/1392-13-0x0000000000000000-mapping.dmp
-
memory/1408-12-0x0000000000000000-mapping.dmp
-
memory/1552-0-0x0000000000000000-mapping.dmp
-
memory/1884-3-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB
-
memory/1884-4-0x0000000000000000-mapping.dmp
-
memory/1884-2-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1884-1-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB
-
memory/2004-6-0x0000000000000000-mapping.dmp
-
memory/2040-5-0x0000000000000000-mapping.dmp