Analysis
-
max time kernel
123s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:47
Static task
static1
Behavioral task
behavioral1
Sample
tsk.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
tsk.dll
-
Size
489KB
-
MD5
a09579dd34dbef1b234181c9d780c239
-
SHA1
31e811931d2a5174e0f505f9e6a92e2c752f676c
-
SHA256
7fdd024bec3841eaaf2ac0b352b66380ef74cf47f37c965982d36be948bcf75d
-
SHA512
0208067a7a4e5433fa30739425ca51e08b9972f260d93876f8156f5a914dc6a536e0129edb70e04e60013e4655eeccd6c78c283d51a03febd478e95a4e1fe431
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anfe = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Tutuug\\cowaulab.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1228 set thread context of 2448 1228 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2448 msiexec.exe Token: SeSecurityPrivilege 2448 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1036 wrote to memory of 1228 1036 rundll32.exe rundll32.exe PID 1036 wrote to memory of 1228 1036 rundll32.exe rundll32.exe PID 1036 wrote to memory of 1228 1036 rundll32.exe rundll32.exe PID 1228 wrote to memory of 2448 1228 rundll32.exe msiexec.exe PID 1228 wrote to memory of 2448 1228 rundll32.exe msiexec.exe PID 1228 wrote to memory of 2448 1228 rundll32.exe msiexec.exe PID 1228 wrote to memory of 2448 1228 rundll32.exe msiexec.exe PID 1228 wrote to memory of 2448 1228 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tsk.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tsk.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken