Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 08:01
Static task
static1
Behavioral task
behavioral1
Sample
bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c.dll
Resource
win7v20201028
General
-
Target
bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c.dll
-
Size
368KB
-
MD5
116347dee5de17177b0e19cb2656d94d
-
SHA1
1bc94b97c99c08ffc1f2849a2dfce60569ddbc71
-
SHA256
bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c
-
SHA512
a405bbeb5829045817817ff4e993153e5196642d32cdeca5964d1787a2451a7d39624c293e59de8d0c485ee57a964814c167a68abb19d6f23308ffff6f7e2fdb
Malware Config
Extracted
zloader
nut
22/02
https://sanfilippowholesale.ca/post.php
https://veprotech.com/post.php
https://globalgroots.com/post.php
https://silicontradewind.com/post.php
https://dhyanalingagranites.in/post.php
https://onushondhanbarta.com/post.php
https://avcity.in/post.php
https://docapiridelli.ml/post.php
Signatures
-
Blocklisted process makes network request 38 IoCs
Processes:
msiexec.exeflow pid process 16 3824 msiexec.exe 17 3824 msiexec.exe 18 3824 msiexec.exe 19 3824 msiexec.exe 20 3824 msiexec.exe 21 3824 msiexec.exe 23 3824 msiexec.exe 24 3824 msiexec.exe 25 3824 msiexec.exe 26 3824 msiexec.exe 27 3824 msiexec.exe 28 3824 msiexec.exe 30 3824 msiexec.exe 31 3824 msiexec.exe 32 3824 msiexec.exe 33 3824 msiexec.exe 34 3824 msiexec.exe 35 3824 msiexec.exe 37 3824 msiexec.exe 38 3824 msiexec.exe 39 3824 msiexec.exe 40 3824 msiexec.exe 41 3824 msiexec.exe 42 3824 msiexec.exe 44 3824 msiexec.exe 45 3824 msiexec.exe 46 3824 msiexec.exe 47 3824 msiexec.exe 48 3824 msiexec.exe 49 3824 msiexec.exe 51 3824 msiexec.exe 53 3824 msiexec.exe 54 3824 msiexec.exe 55 3824 msiexec.exe 56 3824 msiexec.exe 57 3824 msiexec.exe 58 3824 msiexec.exe 60 3824 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 396 set thread context of 3824 396 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3824 msiexec.exe Token: SeSecurityPrivilege 3824 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 640 wrote to memory of 396 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 396 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 396 640 rundll32.exe rundll32.exe PID 396 wrote to memory of 3824 396 rundll32.exe msiexec.exe PID 396 wrote to memory of 3824 396 rundll32.exe msiexec.exe PID 396 wrote to memory of 3824 396 rundll32.exe msiexec.exe PID 396 wrote to memory of 3824 396 rundll32.exe msiexec.exe PID 396 wrote to memory of 3824 396 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bd40fbd6619e2dff958bd5398b0c615921ffd28fe9410e933fe117bca2ed4f9c.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/396-2-0x0000000000000000-mapping.dmp
-
memory/396-3-0x0000000002DF1000-0x0000000002E33000-memory.dmpFilesize
264KB
-
memory/396-4-0x0000000002DF0000-0x0000000002E19000-memory.dmpFilesize
164KB
-
memory/396-5-0x0000000002CC0000-0x0000000002CC1000-memory.dmpFilesize
4KB
-
memory/3824-6-0x0000000000000000-mapping.dmp
-
memory/3824-7-0x0000000000B30000-0x0000000000B59000-memory.dmpFilesize
164KB