Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
04-10-2021 22:37
Static task
static1
Behavioral task
behavioral1
Sample
tmp2.dll
Resource
win7-en-20210920
General
-
Target
tmp2.dll
-
Size
454KB
-
MD5
3d7ef38e63a73f1b0ca9a3a3ea39f491
-
SHA1
dba032764df1e3b6bff027183d69c642ef2b123c
-
SHA256
b4e0478cf85035852a664984f8639e98bee3b54d6530ef22d46874b14ad0e748
-
SHA512
0f162a402346bc036d4dd7b49b989bf0beb13cbf9ba7a5395f3486fae875726d863b3497de9cdd69947ce0e208e70859b9a069de4168fe8ea6c02b8b339da66b
Malware Config
Extracted
zloader
apr01
Canada
http://march262020.best/post.php
http://march262020.club/post.php
http://march262020.com/post.php
http://march262020.live/post.php
http://march262020.network/post.php
http://march262020.online/post.php
http://march262020.site/post.php
http://march262020.store/post.php
http://march262020.tech/post.php
Signatures
-
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
-
Blocklisted process makes network request 6 IoCs
Processes:
msiexec.exeflow pid process 27 2152 msiexec.exe 28 2152 msiexec.exe 29 2152 msiexec.exe 30 2152 msiexec.exe 31 2152 msiexec.exe 32 2152 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rayvunug = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Wyaho\\ehxiki.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1964 set thread context of 2152 1964 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2152 msiexec.exe Token: SeSecurityPrivilege 2152 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1828 wrote to memory of 1964 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 1964 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 1964 1828 rundll32.exe rundll32.exe PID 1964 wrote to memory of 2152 1964 rundll32.exe msiexec.exe PID 1964 wrote to memory of 2152 1964 rundll32.exe msiexec.exe PID 1964 wrote to memory of 2152 1964 rundll32.exe msiexec.exe PID 1964 wrote to memory of 2152 1964 rundll32.exe msiexec.exe PID 1964 wrote to memory of 2152 1964 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp2.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1964-115-0x0000000000000000-mapping.dmp
-
memory/1964-116-0x00000000734D0000-0x0000000073500000-memory.dmpFilesize
192KB
-
memory/1964-117-0x00000000734D0000-0x0000000073559000-memory.dmpFilesize
548KB
-
memory/1964-118-0x0000000001000000-0x00000000010AE000-memory.dmpFilesize
696KB
-
memory/2152-119-0x0000000000000000-mapping.dmp
-
memory/2152-122-0x0000000003030000-0x0000000003060000-memory.dmpFilesize
192KB