Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-12-2020 21:40
Static task
static1
Behavioral task
behavioral1
Sample
EQq5Mu9U.exe.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
EQq5Mu9U.exe.dll
-
Size
440KB
-
MD5
7784c1f0ad355b7c60213ce7a6904653
-
SHA1
17743db7539bd4f95ae98b335c68a6bfc8f6c74e
-
SHA256
47dd6855869ea0ad0cc43dddc110eb54f1b399dedfb337a8b88dead4914ec609
-
SHA512
50547a2b94b04bad6b4f0b6cd9437e33c983a5beca6841b5b552de9e84c1a7d7d8c3e39c5a070632f67838deddd9a2a915e1ed29124b6678f7d4ca876f089368
Malware Config
Extracted
Family
zloader
Botnet
nut
Campaign
02/12
C2
https://www.alhasanatbooks.com/reader.php
https://aflim.org.ng/wp-punch.php
https://sardarmohammad.com/reports.php
https://erikarabelo.com.br/server.php
https://thechapelofthehealingcross.org/java.php
https://grebcanualcwilfprofal.ml/wp-smarts.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Blacklisted process makes network request 16 IoCs
Processes:
msiexec.exeflow pid process 16 2804 msiexec.exe 17 2804 msiexec.exe 18 2804 msiexec.exe 19 2804 msiexec.exe 20 2804 msiexec.exe 21 2804 msiexec.exe 23 2804 msiexec.exe 25 2804 msiexec.exe 27 2804 msiexec.exe 28 2804 msiexec.exe 29 2804 msiexec.exe 30 2804 msiexec.exe 31 2804 msiexec.exe 32 2804 msiexec.exe 34 2804 msiexec.exe 36 2804 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 896 set thread context of 2804 896 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2804 msiexec.exe Token: SeSecurityPrivilege 2804 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3304 wrote to memory of 896 3304 rundll32.exe rundll32.exe PID 3304 wrote to memory of 896 3304 rundll32.exe rundll32.exe PID 3304 wrote to memory of 896 3304 rundll32.exe rundll32.exe PID 896 wrote to memory of 2804 896 rundll32.exe msiexec.exe PID 896 wrote to memory of 2804 896 rundll32.exe msiexec.exe PID 896 wrote to memory of 2804 896 rundll32.exe msiexec.exe PID 896 wrote to memory of 2804 896 rundll32.exe msiexec.exe PID 896 wrote to memory of 2804 896 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\EQq5Mu9U.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\EQq5Mu9U.exe.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵