Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 00:52
Static task
static1
Behavioral task
behavioral1
Sample
c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675.dll
Resource
win7v20201028
General
-
Target
c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675.dll
-
Size
400KB
-
MD5
3cf481ccbb1019894fcbacb554f3bda1
-
SHA1
63c11153ab0afb36703723c5121cd0e9b48ac6e8
-
SHA256
c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675
-
SHA512
628e34581b3ebc7645639f2e6da19ce15afb794cc032e99d895841eecef0bd372da27895a9485bb18630864b921c1239fa6e4904d6bd6f54ca80a220a3fe66d0
Malware Config
Extracted
zloader
nut
12/11
https://tfbuildingjoinery.co.uk/robots.php
https://globalpacificproperties.com.au/terms.php
https://www.loonybinforum.com/errors.php
https://luminousintent.com.au/wp-smarts.php
https://espazioabierto.com/wp-smarts.php
https://racriporrosepo.tk/wp-smarts.php
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4696 created 3128 4696 rundll32.exe Explorer.EXE -
Blocklisted process makes network request 15 IoCs
Processes:
msiexec.exeflow pid process 23 3984 msiexec.exe 25 3984 msiexec.exe 26 3984 msiexec.exe 28 3984 msiexec.exe 29 3984 msiexec.exe 30 3984 msiexec.exe 31 3984 msiexec.exe 33 3984 msiexec.exe 41 3984 msiexec.exe 42 3984 msiexec.exe 43 3984 msiexec.exe 44 3984 msiexec.exe 45 3984 msiexec.exe 46 3984 msiexec.exe 48 3984 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4696 set thread context of 3984 4696 rundll32.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4696 rundll32.exe 4696 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4696 rundll32.exe Token: SeSecurityPrivilege 3984 msiexec.exe Token: SeSecurityPrivilege 3984 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4684 wrote to memory of 4696 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 4696 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 4696 4684 rundll32.exe rundll32.exe PID 4696 wrote to memory of 3984 4696 rundll32.exe msiexec.exe PID 4696 wrote to memory of 3984 4696 rundll32.exe msiexec.exe PID 4696 wrote to memory of 3984 4696 rundll32.exe msiexec.exe PID 4696 wrote to memory of 3984 4696 rundll32.exe msiexec.exe PID 4696 wrote to memory of 3984 4696 rundll32.exe msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3128
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8c5815fe4a06a752e51f79332a393db1f91a8e39b67899aa996e4ca76cfa675.dll,#11⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3984-5-0x0000000000000000-mapping.dmp
-
memory/3984-6-0x0000000000CD0000-0x0000000000CF6000-memory.dmpFilesize
152KB
-
memory/4696-2-0x0000000000000000-mapping.dmp
-
memory/4696-3-0x0000000010000000-0x0000000010026000-memory.dmpFilesize
152KB
-
memory/4696-4-0x0000000002C50000-0x0000000002C51000-memory.dmpFilesize
4KB