Analysis
-
max time kernel
115s -
max time network
114s -
platform
windows7_x64 -
resource
win7 -
submitted
16-10-2020 13:48
Static task
static1
Behavioral task
behavioral1
Sample
YCRkFXS.dll
Resource
win7
Behavioral task
behavioral2
Sample
YCRkFXS.dll
Resource
win10
General
-
Target
YCRkFXS.dll
-
Size
764KB
-
MD5
1d36338becdf76e5245665e2833d8a38
-
SHA1
1c2c449a06873070a3e154069c8a71de3d6e908d
-
SHA256
15737d37308fb5a8745afb8c34249e387bad9b1d001f2fcaa44b8c0333286861
-
SHA512
391dfaab6326b9066d2be333eff53aab2c74a006fae5be93961d0bf1766d8ffb09c950093bbdcb7276047f574ba544f44c5f0835c0a0f3e764f02455fb375176
Malware Config
Extracted
zloader
divader
poll
https://fqnceas.su/gate.php
https://fqlocpeas.ru/gate.php
https://dksaiijn.ru/gate.php
https://dksafjasnf.su/gate.php
https://fjsafasfsa.ru/gate.php
https://fjskoijafsa.ru/gate.php
https://kochamkkkras.ru/gate.php
https://uookqihwdid.ru/gate.php
https://iqowijsdakm.ru/gate.php
https://wiewjdmkfjn.ru/gate.php
Signatures
-
Blacklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 6 1640 msiexec.exe 7 1640 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hisyimta = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Oqsau\\hoexbiin.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1616 set thread context of 1640 1616 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1640 msiexec.exe Token: SeSecurityPrivilege 1640 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1012 wrote to memory of 1616 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1616 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1616 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1616 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1616 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1616 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 1616 1012 rundll32.exe rundll32.exe PID 1616 wrote to memory of 1640 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1640 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1640 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1640 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1640 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1640 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1640 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1640 1616 rundll32.exe msiexec.exe PID 1616 wrote to memory of 1640 1616 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YCRkFXS.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\YCRkFXS.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1616-0-0x0000000000000000-mapping.dmp
-
memory/1640-1-0x00000000000F0000-0x0000000000119000-memory.dmpFilesize
164KB
-
memory/1640-2-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1640-3-0x00000000000F0000-0x0000000000119000-memory.dmpFilesize
164KB
-
memory/1640-4-0x0000000000000000-mapping.dmp
-
memory/1860-5-0x000007FEF7C50000-0x000007FEF7ECA000-memory.dmpFilesize
2.5MB