Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:55
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Johnnie.253352.23036.17576.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Variant.Johnnie.253352.23036.17576.dll
-
Size
536KB
-
MD5
2fac38dc801716d730a94667f1e46338
-
SHA1
2a7d8e1b1f3a4bd51da44191edc1932361272182
-
SHA256
d94b57307f3b68e57f1cf34e4aaa0794a6d0b4c551d05f6d1a2f0d3b45625177
-
SHA512
5c718fc7c86563e7b931d60fb1be52f3d3db75de6a978268a450e5025473d4ab23f9d800931eed1992b43cfce1b825739daf46b6ff2c7f425a285ff5efa17190
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ipnuria = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Xoil\\olexwaqo.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1544 set thread context of 1236 1544 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1236 msiexec.exe Token: SeSecurityPrivilege 1236 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 844 wrote to memory of 1544 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1544 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1544 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1544 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1544 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1544 844 rundll32.exe rundll32.exe PID 844 wrote to memory of 1544 844 rundll32.exe rundll32.exe PID 1544 wrote to memory of 1236 1544 rundll32.exe msiexec.exe PID 1544 wrote to memory of 1236 1544 rundll32.exe msiexec.exe PID 1544 wrote to memory of 1236 1544 rundll32.exe msiexec.exe PID 1544 wrote to memory of 1236 1544 rundll32.exe msiexec.exe PID 1544 wrote to memory of 1236 1544 rundll32.exe msiexec.exe PID 1544 wrote to memory of 1236 1544 rundll32.exe msiexec.exe PID 1544 wrote to memory of 1236 1544 rundll32.exe msiexec.exe PID 1544 wrote to memory of 1236 1544 rundll32.exe msiexec.exe PID 1544 wrote to memory of 1236 1544 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.253352.23036.17576.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.253352.23036.17576.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1236-1-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1236-2-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1236-3-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1236-4-0x0000000000000000-mapping.dmp
-
memory/1452-5-0x000007FEF81B0000-0x000007FEF842A000-memory.dmpFilesize
2.5MB
-
memory/1544-0-0x0000000000000000-mapping.dmp