Analysis
-
max time kernel
134s -
max time network
135s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
19-10-2020 09:42
Static task
static1
Behavioral task
behavioral1
Sample
ad213eaf7436c9ebd4d1e3fe24ce4963a8d878b1b625198d5c8085c383f580dd_top_dllD23df_xlsp.c1.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
ad213eaf7436c9ebd4d1e3fe24ce4963a8d878b1b625198d5c8085c383f580dd_top_dllD23df_xlsp.c1.dll
Resource
win10
General
-
Target
ad213eaf7436c9ebd4d1e3fe24ce4963a8d878b1b625198d5c8085c383f580dd_top_dllD23df_xlsp.c1.dll
-
Size
636KB
-
MD5
a31735e7cbd08a44f3e06b63f697b44d
-
SHA1
c7a2b7efa1380039215129968f60afd6ebed05c3
-
SHA256
ad213eaf7436c9ebd4d1e3fe24ce4963a8d878b1b625198d5c8085c383f580dd
-
SHA512
7904cdbdb27a4d5fd553558c4bfc578fe0293f5663a5a98a5a4eebadc6f448b1ccc5e97c20e27c8033fd11189a24d5ac585940d98ea7b15137908051134a49c7
Malware Config
Extracted
zloader
divader
poll
https://fqnceas.su/gate.php
https://fqlocpeas.ru/gate.php
https://dksaiijn.ru/gate.php
https://dksafjasnf.su/gate.php
https://fjsafasfsa.ru/gate.php
https://fjskoijafsa.ru/gate.php
https://kochamkkkras.ru/gate.php
https://uookqihwdid.ru/gate.php
https://iqowijsdakm.ru/gate.php
https://wiewjdmkfjn.ru/gate.php
Signatures
-
Blacklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 6 1560 msiexec.exe 7 1560 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wookaby = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Guehe\\avkuipqe.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1188 set thread context of 1560 1188 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1560 msiexec.exe Token: SeSecurityPrivilege 1560 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1452 wrote to memory of 1188 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1188 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1188 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1188 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1188 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1188 1452 rundll32.exe rundll32.exe PID 1452 wrote to memory of 1188 1452 rundll32.exe rundll32.exe PID 1188 wrote to memory of 1560 1188 rundll32.exe msiexec.exe PID 1188 wrote to memory of 1560 1188 rundll32.exe msiexec.exe PID 1188 wrote to memory of 1560 1188 rundll32.exe msiexec.exe PID 1188 wrote to memory of 1560 1188 rundll32.exe msiexec.exe PID 1188 wrote to memory of 1560 1188 rundll32.exe msiexec.exe PID 1188 wrote to memory of 1560 1188 rundll32.exe msiexec.exe PID 1188 wrote to memory of 1560 1188 rundll32.exe msiexec.exe PID 1188 wrote to memory of 1560 1188 rundll32.exe msiexec.exe PID 1188 wrote to memory of 1560 1188 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad213eaf7436c9ebd4d1e3fe24ce4963a8d878b1b625198d5c8085c383f580dd_top_dllD23df_xlsp.c1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad213eaf7436c9ebd4d1e3fe24ce4963a8d878b1b625198d5c8085c383f580dd_top_dllD23df_xlsp.c1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1188-0-0x0000000000000000-mapping.dmp
-
memory/1560-1-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1560-2-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1560-3-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1560-4-0x0000000000000000-mapping.dmp
-
memory/1940-5-0x000007FEF6EF0000-0x000007FEF716A000-memory.dmpFilesize
2.5MB