Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 02:18
Behavioral task
behavioral1
Sample
4722359f79b6a7f7738b8444b8bf6f61f0ac171bd50243ffccdfbc0a1ebcddcd.dll
Resource
win7v20201028
General
-
Target
4722359f79b6a7f7738b8444b8bf6f61f0ac171bd50243ffccdfbc0a1ebcddcd.dll
-
Size
176KB
-
MD5
096a438e0e5d01b9646c19d45c0c063f
-
SHA1
8c6cd17823e9aa7a266cbbb89a7a5dee99b9cbad
-
SHA256
4722359f79b6a7f7738b8444b8bf6f61f0ac171bd50243ffccdfbc0a1ebcddcd
-
SHA512
8fbfc073cb2e5285e4eb6a4b19822e77233af1c9f621374a2029e7e540ab430262164506227e82058df8c364d300d6d9c059416301de7a77e585756b98fb4be3
Malware Config
Extracted
zloader
banking
banking
https://iloveyoubaby1.pro/gate.php
https://idsakjfsanfaskj.com/gate.php
https://fslakdasjdnsasjsj.com/gate.php
https://dksadjsahnfaskmsa.com/gate.php
https://dskdsajdsahda.info/gate.php
https://dskdsajdsadasda.info/gate.php
https://dskjdsadhsahjsas.info/gate.php
https://dsjadjsadjsadjafsa.info/gate.php
https://fsakjdsafasifkajfaf.pro/gate.php
https://djsadhsadsadjashs.pro/gate.php
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ikfyil = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Becy\\xaikasfe.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2012 set thread context of 1452 2012 regsvr32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1452 msiexec.exe Token: SeSecurityPrivilege 1452 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1108 wrote to memory of 2012 1108 regsvr32.exe regsvr32.exe PID 1108 wrote to memory of 2012 1108 regsvr32.exe regsvr32.exe PID 1108 wrote to memory of 2012 1108 regsvr32.exe regsvr32.exe PID 1108 wrote to memory of 2012 1108 regsvr32.exe regsvr32.exe PID 1108 wrote to memory of 2012 1108 regsvr32.exe regsvr32.exe PID 1108 wrote to memory of 2012 1108 regsvr32.exe regsvr32.exe PID 1108 wrote to memory of 2012 1108 regsvr32.exe regsvr32.exe PID 2012 wrote to memory of 1452 2012 regsvr32.exe msiexec.exe PID 2012 wrote to memory of 1452 2012 regsvr32.exe msiexec.exe PID 2012 wrote to memory of 1452 2012 regsvr32.exe msiexec.exe PID 2012 wrote to memory of 1452 2012 regsvr32.exe msiexec.exe PID 2012 wrote to memory of 1452 2012 regsvr32.exe msiexec.exe PID 2012 wrote to memory of 1452 2012 regsvr32.exe msiexec.exe PID 2012 wrote to memory of 1452 2012 regsvr32.exe msiexec.exe PID 2012 wrote to memory of 1452 2012 regsvr32.exe msiexec.exe PID 2012 wrote to memory of 1452 2012 regsvr32.exe msiexec.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\4722359f79b6a7f7738b8444b8bf6f61f0ac171bd50243ffccdfbc0a1ebcddcd.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\4722359f79b6a7f7738b8444b8bf6f61f0ac171bd50243ffccdfbc0a1ebcddcd.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-2-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmpFilesize
8KB
-
memory/1452-5-0x0000000000000000-mapping.dmp
-
memory/1452-7-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1580-8-0x000007FEF7510000-0x000007FEF778A000-memory.dmpFilesize
2.5MB
-
memory/2012-3-0x0000000000000000-mapping.dmp
-
memory/2012-4-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB