Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c.dll
Resource
win7v20201028
General
-
Target
bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c.dll
-
Size
368KB
-
MD5
116347dee5de17177b0e19cb2656d94d
-
SHA1
1bc94b97c99c08ffc1f2849a2dfce60569ddbc71
-
SHA256
bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c
-
SHA512
a405bbeb5829045817817ff4e993153e5196642d32cdeca5964d1787a2451a7d39624c293e59de8d0c485ee57a964814c167a68abb19d6f23308ffff6f7e2fdb
Malware Config
Extracted
zloader
nut
22/02
https://sanfilippowholesale.ca/post.php
https://veprotech.com/post.php
https://globalgroots.com/post.php
https://silicontradewind.com/post.php
https://dhyanalingagranites.in/post.php
https://onushondhanbarta.com/post.php
https://avcity.in/post.php
https://docapiridelli.ml/post.php
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
msiexec.exeflow pid process 7 748 msiexec.exe 8 748 msiexec.exe 9 748 msiexec.exe 10 748 msiexec.exe 11 748 msiexec.exe 12 748 msiexec.exe 13 748 msiexec.exe 14 748 msiexec.exe 15 748 msiexec.exe 16 748 msiexec.exe 17 748 msiexec.exe 18 748 msiexec.exe 19 748 msiexec.exe 20 748 msiexec.exe 21 748 msiexec.exe 22 748 msiexec.exe 23 748 msiexec.exe 24 748 msiexec.exe 25 748 msiexec.exe 26 748 msiexec.exe 27 748 msiexec.exe 29 748 msiexec.exe 30 748 msiexec.exe 31 748 msiexec.exe 33 748 msiexec.exe 34 748 msiexec.exe 35 748 msiexec.exe 36 748 msiexec.exe 37 748 msiexec.exe 38 748 msiexec.exe 39 748 msiexec.exe 40 748 msiexec.exe 41 748 msiexec.exe 42 748 msiexec.exe 43 748 msiexec.exe 44 748 msiexec.exe 45 748 msiexec.exe 46 748 msiexec.exe 47 748 msiexec.exe 48 748 msiexec.exe 49 748 msiexec.exe 50 748 msiexec.exe 51 748 msiexec.exe 52 748 msiexec.exe 53 748 msiexec.exe 55 748 msiexec.exe 56 748 msiexec.exe 57 748 msiexec.exe 59 748 msiexec.exe 60 748 msiexec.exe 61 748 msiexec.exe 62 748 msiexec.exe 63 748 msiexec.exe 64 748 msiexec.exe 65 748 msiexec.exe 66 748 msiexec.exe 67 748 msiexec.exe 68 748 msiexec.exe 69 748 msiexec.exe 70 748 msiexec.exe 71 748 msiexec.exe 72 748 msiexec.exe 73 748 msiexec.exe 74 748 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1376 set thread context of 748 1376 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 748 msiexec.exe Token: SeSecurityPrivilege 748 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2004 wrote to memory of 1376 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1376 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1376 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1376 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1376 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1376 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1376 2004 rundll32.exe rundll32.exe PID 1376 wrote to memory of 748 1376 rundll32.exe msiexec.exe PID 1376 wrote to memory of 748 1376 rundll32.exe msiexec.exe PID 1376 wrote to memory of 748 1376 rundll32.exe msiexec.exe PID 1376 wrote to memory of 748 1376 rundll32.exe msiexec.exe PID 1376 wrote to memory of 748 1376 rundll32.exe msiexec.exe PID 1376 wrote to memory of 748 1376 rundll32.exe msiexec.exe PID 1376 wrote to memory of 748 1376 rundll32.exe msiexec.exe PID 1376 wrote to memory of 748 1376 rundll32.exe msiexec.exe PID 1376 wrote to memory of 748 1376 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:748
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-6-0x0000000000000000-mapping.dmp
-
memory/748-8-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1376-2-0x0000000000000000-mapping.dmp
-
memory/1376-3-0x0000000075EA1000-0x0000000075EA3000-memory.dmpFilesize
8KB
-
memory/1376-4-0x00000000002A0000-0x00000000002C9000-memory.dmpFilesize
164KB
-
memory/1376-5-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1912-9-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB