Analysis
-
max time kernel
46s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-10-2020 11:32
Static task
static1
Behavioral task
behavioral1
Sample
zuygy.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
zuygy.dll
Resource
win10v20201028
General
-
Target
zuygy.dll
-
Size
863KB
-
MD5
f2f6fef7797832e67d7b0d0c3bf5b671
-
SHA1
c43c113ad5fd90a04f96b2188078ce372fd84859
-
SHA256
e3bcf059f0ad7b1c92462646e135623d3ce75addcd6a0d207b78e2fbfb6dac2d
-
SHA512
8a29c002cc8658a4753a35c00d426ce5703d4f008675fad158691a7ad63c764b668c4afe471f9645d91a863a1f1d5370aa96fdd1d79917b45838e89a084a5cc1
Malware Config
Extracted
zloader
main
02.04.2020
https://klill.com/sound.php
https://geost.com/sound.php
https://tarsilh.com/sound.php
https://lildor.com/sound.php
https://imosey.com/sound.php
https://obeaf.com/sound.php
https://pheia.com/sound.php
https://smenard.com/sound.php
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Foqus = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Ebboa\\vayvydvi.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 368 set thread context of 1212 368 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1212 msiexec.exe Token: SeSecurityPrivilege 1212 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1700 wrote to memory of 368 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 368 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 368 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 368 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 368 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 368 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 368 1700 rundll32.exe rundll32.exe PID 368 wrote to memory of 1212 368 rundll32.exe msiexec.exe PID 368 wrote to memory of 1212 368 rundll32.exe msiexec.exe PID 368 wrote to memory of 1212 368 rundll32.exe msiexec.exe PID 368 wrote to memory of 1212 368 rundll32.exe msiexec.exe PID 368 wrote to memory of 1212 368 rundll32.exe msiexec.exe PID 368 wrote to memory of 1212 368 rundll32.exe msiexec.exe PID 368 wrote to memory of 1212 368 rundll32.exe msiexec.exe PID 368 wrote to memory of 1212 368 rundll32.exe msiexec.exe PID 368 wrote to memory of 1212 368 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zuygy.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zuygy.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/368-0-0x0000000000000000-mapping.dmp
-
memory/1212-2-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1212-1-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1212-3-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1212-4-0x0000000000000000-mapping.dmp