Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-10-2021 22:37
Static task
static1
Behavioral task
behavioral1
Sample
tmp2.dll
Resource
win7-en-20210920
General
-
Target
tmp2.dll
-
Size
454KB
-
MD5
3d7ef38e63a73f1b0ca9a3a3ea39f491
-
SHA1
dba032764df1e3b6bff027183d69c642ef2b123c
-
SHA256
b4e0478cf85035852a664984f8639e98bee3b54d6530ef22d46874b14ad0e748
-
SHA512
0f162a402346bc036d4dd7b49b989bf0beb13cbf9ba7a5395f3486fae875726d863b3497de9cdd69947ce0e208e70859b9a069de4168fe8ea6c02b8b339da66b
Malware Config
Extracted
zloader
apr01
Canada
http://march262020.best/post.php
http://march262020.club/post.php
http://march262020.com/post.php
http://march262020.live/post.php
http://march262020.network/post.php
http://march262020.online/post.php
http://march262020.site/post.php
http://march262020.store/post.php
http://march262020.tech/post.php
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
msiexec.exeflow pid process 13 1404 msiexec.exe 14 1404 msiexec.exe 15 1404 msiexec.exe 16 1404 msiexec.exe 17 1404 msiexec.exe 18 1404 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fudete = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Hewa\\ufokfoan.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1104 set thread context of 1404 1104 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1404 msiexec.exe Token: SeSecurityPrivilege 1404 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2024 wrote to memory of 1104 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1104 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1104 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1104 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1104 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1104 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1104 2024 rundll32.exe rundll32.exe PID 1104 wrote to memory of 1404 1104 rundll32.exe msiexec.exe PID 1104 wrote to memory of 1404 1104 rundll32.exe msiexec.exe PID 1104 wrote to memory of 1404 1104 rundll32.exe msiexec.exe PID 1104 wrote to memory of 1404 1104 rundll32.exe msiexec.exe PID 1104 wrote to memory of 1404 1104 rundll32.exe msiexec.exe PID 1104 wrote to memory of 1404 1104 rundll32.exe msiexec.exe PID 1104 wrote to memory of 1404 1104 rundll32.exe msiexec.exe PID 1104 wrote to memory of 1404 1104 rundll32.exe msiexec.exe PID 1104 wrote to memory of 1404 1104 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp2.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1104-53-0x0000000000000000-mapping.dmp
-
memory/1104-54-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/1104-56-0x0000000074D70000-0x0000000074DF9000-memory.dmpFilesize
548KB
-
memory/1104-55-0x0000000074D70000-0x0000000074DA0000-memory.dmpFilesize
192KB
-
memory/1104-57-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1404-58-0x0000000000000000-mapping.dmp
-
memory/1404-60-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB