Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 12:46
Static task
static1
Behavioral task
behavioral1
Sample
ec602e8263aec44b7cc4fbf930e5bc9affdc8232e9dd84a86e01198a349a827a.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ec602e8263aec44b7cc4fbf930e5bc9affdc8232e9dd84a86e01198a349a827a.dll
Resource
win10v20201028
General
-
Target
ec602e8263aec44b7cc4fbf930e5bc9affdc8232e9dd84a86e01198a349a827a.dll
-
Size
170KB
-
MD5
0892f2d684b734d64517348a4df16964
-
SHA1
b2e6c4a27dec2c67197560c8f2b82d6e119406a3
-
SHA256
ec602e8263aec44b7cc4fbf930e5bc9affdc8232e9dd84a86e01198a349a827a
-
SHA512
2bcbc000057d62fc59e8b902b91a5b4456b816cd93464e3b0b288f092336f63e4086f88734fde792b850e524c600b7d361c42c04946e4bdb5f61406e172e707f
Malware Config
Extracted
zloader
10/03
https://dhteijwrb.host/milagrecf.php
https://aquolepp.pw/milagrecf.php
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxut = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Ilyqky\\igexfy.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2220 set thread context of 3936 2220 regsvr32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3936 msiexec.exe Token: SeSecurityPrivilege 3936 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1144 wrote to memory of 2220 1144 regsvr32.exe regsvr32.exe PID 1144 wrote to memory of 2220 1144 regsvr32.exe regsvr32.exe PID 1144 wrote to memory of 2220 1144 regsvr32.exe regsvr32.exe PID 2220 wrote to memory of 3936 2220 regsvr32.exe msiexec.exe PID 2220 wrote to memory of 3936 2220 regsvr32.exe msiexec.exe PID 2220 wrote to memory of 3936 2220 regsvr32.exe msiexec.exe PID 2220 wrote to memory of 3936 2220 regsvr32.exe msiexec.exe PID 2220 wrote to memory of 3936 2220 regsvr32.exe msiexec.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ec602e8263aec44b7cc4fbf930e5bc9affdc8232e9dd84a86e01198a349a827a.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\ec602e8263aec44b7cc4fbf930e5bc9affdc8232e9dd84a86e01198a349a827a.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken