Resubmissions
15-10-2020 13:31
201015-fye6cmvw2x 1015-10-2020 10:36
201015-lpwpgvvlrx 1007-10-2020 13:09
201007-gb8s3rc2dn 107-10-2020 04:33
201007-bq47zyvhf2 1Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
15-10-2020 10:36
Static task
static1
Behavioral task
behavioral1
Sample
adfde0367ba639980632da58a5444005.dll
Resource
win7
General
-
Target
adfde0367ba639980632da58a5444005.dll
-
Size
429KB
-
MD5
adfde0367ba639980632da58a5444005
-
SHA1
451dd7d059eb7fd22bb7bb46e64de0a1436e6dc3
-
SHA256
191bbf8eafbe5dfcf56bb139f36d44724bdb9fd1e708cd29dfd2d7b2b916f9f2
-
SHA512
1726d83df12cbd9c2a07322925253053720a65d986b4acbb356240afbbed63589c163c7dacaf9a00242769d32943241af2edc6be7ea80e52ee2b041e1843508e
Malware Config
Extracted
zloader
divader
xls_spam_2909
https://fqnesas.ru/gate.php
https://fqnvsdaas.su/gate.php
https://fqnvtmqass.ru/gate.php
https://fqnvtcpheas.su/gate.php
https://fqnvtmophfeas.ru/gate.php
https://fqnceas.su/gate.php
https://fqlocpeas.ru/gate.php
https://dksaiijn.ru/gate.php
https://dksafjasnf.su/gate.php
https://fjsafasfsa.ru/gate.php
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ihedovat = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Ohibre\\wobede.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1068 set thread context of 1668 1068 rundll32.exe 29 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 1668 msiexec.exe Token: SeSecurityPrivilege 1668 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1012 wrote to memory of 1068 1012 rundll32.exe 24 PID 1012 wrote to memory of 1068 1012 rundll32.exe 24 PID 1012 wrote to memory of 1068 1012 rundll32.exe 24 PID 1012 wrote to memory of 1068 1012 rundll32.exe 24 PID 1012 wrote to memory of 1068 1012 rundll32.exe 24 PID 1012 wrote to memory of 1068 1012 rundll32.exe 24 PID 1012 wrote to memory of 1068 1012 rundll32.exe 24 PID 1068 wrote to memory of 1668 1068 rundll32.exe 29 PID 1068 wrote to memory of 1668 1068 rundll32.exe 29 PID 1068 wrote to memory of 1668 1068 rundll32.exe 29 PID 1068 wrote to memory of 1668 1068 rundll32.exe 29 PID 1068 wrote to memory of 1668 1068 rundll32.exe 29 PID 1068 wrote to memory of 1668 1068 rundll32.exe 29 PID 1068 wrote to memory of 1668 1068 rundll32.exe 29 PID 1068 wrote to memory of 1668 1068 rundll32.exe 29 PID 1068 wrote to memory of 1668 1068 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adfde0367ba639980632da58a5444005.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adfde0367ba639980632da58a5444005.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-