Analysis
-
max time kernel
117s -
max time network
116s -
platform
windows10_x64 -
resource
win10 -
submitted
17-10-2020 10:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.7cf991f54426be08.24123.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Generic.mg.7cf991f54426be08.24123.dll
Resource
win10
General
-
Target
SecuriteInfo.com.Generic.mg.7cf991f54426be08.24123.dll
-
Size
509KB
-
MD5
7cf991f54426be08663dc89930c34f8b
-
SHA1
810f64b99fb5df9ed99d6c702f4aecc52a3a7df6
-
SHA256
7888b57934a7de6293d3681f9758f80a2c41f657b36412fcecdb7cde13842b32
-
SHA512
713a49cc598bc7041f1c0cb1b8fd3a2debaf6bed140944fadf9a8d81e6b6db588d1518b9d3bbb3371962827485eebf40cc9a21e32a3add37c4a26cda20773c03
Malware Config
Extracted
zloader
divader
poll
https://fqnceas.su/gate.php
https://fqlocpeas.ru/gate.php
https://dksaiijn.ru/gate.php
https://dksafjasnf.su/gate.php
https://fjsafasfsa.ru/gate.php
https://fjskoijafsa.ru/gate.php
https://kochamkkkras.ru/gate.php
https://uookqihwdid.ru/gate.php
https://iqowijsdakm.ru/gate.php
https://wiewjdmkfjn.ru/gate.php
Signatures
-
Blacklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 15 1824 msiexec.exe 16 1824 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ebfe = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Aztyl\\gipao.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1732 set thread context of 1824 1732 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1824 msiexec.exe Token: SeSecurityPrivilege 1824 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3672 wrote to memory of 1732 3672 rundll32.exe rundll32.exe PID 3672 wrote to memory of 1732 3672 rundll32.exe rundll32.exe PID 3672 wrote to memory of 1732 3672 rundll32.exe rundll32.exe PID 1732 wrote to memory of 1824 1732 rundll32.exe msiexec.exe PID 1732 wrote to memory of 1824 1732 rundll32.exe msiexec.exe PID 1732 wrote to memory of 1824 1732 rundll32.exe msiexec.exe PID 1732 wrote to memory of 1824 1732 rundll32.exe msiexec.exe PID 1732 wrote to memory of 1824 1732 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.7cf991f54426be08.24123.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.7cf991f54426be08.24123.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken