Resubmissions
10-09-2021 19:48
210910-yjb28saef6 10Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-09-2021 19:48
Behavioral task
behavioral1
Sample
3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll
Resource
win7-en
General
-
Target
3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll
-
Size
133KB
-
MD5
6d72546fbb7cae443a46d6a744760f7e
-
SHA1
c4d715bd92f12d54c2a77e5c1ac1ef1a2d1957f5
-
SHA256
3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d
-
SHA512
616e77a5a3e575d04229ecf6b7419c5886e1b2a9e38ba117debb4c97a3bce0b0ad75d9e9da46b747cee62cfa5a016bfc55a1d80aad2db137f7c1f176c4169f69
Malware Config
Extracted
zloader
nut
04/02
https://vidhyashram.edu.in/post.php
https://carmeta-ampuh.com/post.php
https://bestarticleblog.com/post.php
https://alahsateam.com/post.php
https://pyggroup.com.pe/post.php
https://perlisisacsiograv.tk/post.php
Signatures
-
Blocklisted process makes network request 34 IoCs
Processes:
msiexec.exeflow pid process 11 1880 msiexec.exe 12 1880 msiexec.exe 15 1880 msiexec.exe 16 1880 msiexec.exe 18 1880 msiexec.exe 19 1880 msiexec.exe 22 1880 msiexec.exe 23 1880 msiexec.exe 24 1880 msiexec.exe 25 1880 msiexec.exe 26 1880 msiexec.exe 27 1880 msiexec.exe 32 1880 msiexec.exe 33 1880 msiexec.exe 35 1880 msiexec.exe 37 1880 msiexec.exe 39 1880 msiexec.exe 40 1880 msiexec.exe 41 1880 msiexec.exe 42 1880 msiexec.exe 43 1880 msiexec.exe 44 1880 msiexec.exe 45 1880 msiexec.exe 46 1880 msiexec.exe 47 1880 msiexec.exe 48 1880 msiexec.exe 49 1880 msiexec.exe 51 1880 msiexec.exe 52 1880 msiexec.exe 53 1880 msiexec.exe 54 1880 msiexec.exe 55 1880 msiexec.exe 56 1880 msiexec.exe 58 1880 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 840 set thread context of 1880 840 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1880 msiexec.exe Token: SeSecurityPrivilege 1880 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 900 wrote to memory of 840 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 840 900 rundll32.exe rundll32.exe PID 900 wrote to memory of 840 900 rundll32.exe rundll32.exe PID 840 wrote to memory of 1880 840 rundll32.exe msiexec.exe PID 840 wrote to memory of 1880 840 rundll32.exe msiexec.exe PID 840 wrote to memory of 1880 840 rundll32.exe msiexec.exe PID 840 wrote to memory of 1880 840 rundll32.exe msiexec.exe PID 840 wrote to memory of 1880 840 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3bf8030dbda7b4c12d965928bce68ed15341fa9d91ea4489ad3ca7aad6614d.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken