Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-04-2021 19:12
Static task
static1
Behavioral task
behavioral1
Sample
311c78f93acf71a31e5c05bb20f0eef5.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
311c78f93acf71a31e5c05bb20f0eef5.dll
-
Size
666KB
-
MD5
311c78f93acf71a31e5c05bb20f0eef5
-
SHA1
d9618042f78ad4fd5e7c9e20114badf4e0b1b7b7
-
SHA256
ca4a842f5c327aa4372549fc4bf1e6f86956cfddcf423fbaadeba69fd6738c05
-
SHA512
781b64a2da50a94c660e577aad6dd0995ca1895c6b09f32c177d30383e721586ef7f0ae2c1aec8658b89b9b9ae4f1903e39b6bc5f11d554697c64974cec2bcb9
Malware Config
Extracted
Family
zloader
Botnet
nut
Campaign
13/04
C2
https://jiaayanu.com/post.php
https://investinszeklerland.eu/post.php
https://iqs-sac.com/post.php
https://jciems.in/post.php
https://jinnahofficersschool.com/post.php
https://kancagh.com/post.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
msiexec.exeflow pid process 7 1520 msiexec.exe 8 1520 msiexec.exe 9 1520 msiexec.exe 10 1520 msiexec.exe 11 1520 msiexec.exe 12 1520 msiexec.exe 13 1520 msiexec.exe 14 1520 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2032 set thread context of 1520 2032 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1520 msiexec.exe Token: SeSecurityPrivilege 1520 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1208 wrote to memory of 2032 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2032 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2032 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2032 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2032 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2032 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2032 1208 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1520 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1520 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1520 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1520 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1520 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1520 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1520 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1520 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1520 2032 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\311c78f93acf71a31e5c05bb20f0eef5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\311c78f93acf71a31e5c05bb20f0eef5.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1520
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1520-64-0x0000000000000000-mapping.dmp
-
memory/1520-66-0x00000000000D0000-0x00000000000FB000-memory.dmpFilesize
172KB
-
memory/2032-59-0x0000000000000000-mapping.dmp
-
memory/2032-60-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/2032-61-0x00000000747E0000-0x000000007480B000-memory.dmpFilesize
172KB
-
memory/2032-62-0x00000000747E0000-0x00000000748A8000-memory.dmpFilesize
800KB
-
memory/2032-63-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB