Analysis
-
max time kernel
596s -
max time network
598s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-07-2021 20:04
Static task
static1
General
-
Target
favicon.dll
-
Size
646KB
-
MD5
1d700b208c65ca26efe5fa4be4749569
-
SHA1
3deeff224b359ca2b28a841a116b84b783206adc
-
SHA256
f97954d9c80dbfee223fb704863c5a156912f450eee2d0510af6301dfd919f09
-
SHA512
8c5bcbdf35f4e3ad1177d98b0944b1ec9f407a7bd537af5ecd8e5aad37a67c4c46748bfbe165b4edb6348324e4b97d26a6e1af0007f458c3f697a6757cb05d92
Malware Config
Extracted
Family
zloader
Botnet
mk1
Campaign
mac2
C2
https://dssdffsdf.drld/mm.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3744 created 3052 3744 rundll32.exe 15 -
Blocklisted process makes network request 7 IoCs
flow pid Process 34 2732 msiexec.exe 35 2732 msiexec.exe 36 2732 msiexec.exe 37 2732 msiexec.exe 38 2732 msiexec.exe 39 2732 msiexec.exe 40 2732 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3744 set thread context of 2732 3744 rundll32.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3744 rundll32.exe 3744 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3744 rundll32.exe Token: SeSecurityPrivilege 2732 msiexec.exe Token: SeSecurityPrivilege 2732 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3904 wrote to memory of 3744 3904 rundll32.exe 48 PID 3904 wrote to memory of 3744 3904 rundll32.exe 48 PID 3904 wrote to memory of 3744 3904 rundll32.exe 48 PID 3744 wrote to memory of 2732 3744 rundll32.exe 80 PID 3744 wrote to memory of 2732 3744 rundll32.exe 80 PID 3744 wrote to memory of 2732 3744 rundll32.exe 80 PID 3744 wrote to memory of 2732 3744 rundll32.exe 80 PID 3744 wrote to memory of 2732 3744 rundll32.exe 80
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3052
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\favicon.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\favicon.dll,#13⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
-
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2732
-