Analysis
-
max time kernel
131s -
max time network
70s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
02-07-2020 20:18
Static task
static1
Behavioral task
behavioral1
Sample
hallway.dll
Resource
win7
Behavioral task
behavioral2
Sample
hallway.dll
Resource
win10v200430
General
-
Target
hallway.dll
-
Size
275KB
-
MD5
847ea7a7e9c3c6da5c3602a79bf7fb0b
-
SHA1
67537586d23f59a1fae91f90da6026d2920945d7
-
SHA256
5b831fb067dfb53992bb8a346e4fc038de6441a94ad5a3932dc8bd64f80e56fc
-
SHA512
b5f5bad180b478dcda2cd870de0499f0c9891157dd6ad8c2120e422856215138a0ce0b0e8eda065a6852992a8675c0af3f856584b32b946cf020f69e4b537480
Malware Config
Extracted
zloader
main
2020-07-01
https://findulz.com/web/data
https://fredoam.com/web/data
https://cheneer.org/web/data
https://esplody.org/web/data
https://orderrys.com/web/data
https://paiancil.com/web/data
https://procinul.com/web/data
https://cupersip.com/web/data
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Leihda = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Ilac\\ceiqyh.dll" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1068 set thread context of 2504 1068 rundll32.exe msiexec.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\win.ini rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2504 msiexec.exe Token: SeSecurityPrivilege 2504 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 1068 rundll32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
rundll32.exepid process 1068 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4060 wrote to memory of 1068 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 1068 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 1068 4060 rundll32.exe rundll32.exe PID 1068 wrote to memory of 2504 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 2504 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 2504 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 2504 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 2504 1068 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\hallway.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\hallway.dll,#12⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken