Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
12-10-2021 10:45
Static task
static1
Behavioral task
behavioral1
Sample
dllhost.exe
Resource
win7-en-20210920
General
-
Target
dllhost.exe
-
Size
485KB
-
MD5
1fe73fe4d37cae6a02262b5164f3def0
-
SHA1
80b03eb27651723bded1fd1425f489225b3bba3b
-
SHA256
0c33fe39195569a868cf9f87d3aff16e72f5a54c4e52a852b8f986d121fa47e8
-
SHA512
7416dadb6e85cc43000bba33f47797cf7e5fe5ee0c9f8639685130264a867b6048839d2b74ca3e00b00caf8a1dcf83d08f01901c56ab9343888d62501c48d2b6
Malware Config
Extracted
Family |
formbook |
Version |
4.1 |
Campaign |
kzk9 |
C2 |
http://www.yourmajordomo.com/kzk9/ |
Decoy |
tianconghuo.club 1996-page.com ourtownmax.net conservativetreehose.com synth.repair donnachicacreperia.com tentfull.com weapp.download surfersink.com gattlebusinessservices.com sebastian249.com anhphuc.company betternatureproducts.net defroplate.com seattlesquidsquad.com polarjob.com lendingadvantage.com angelsondope.com goportjitney.com tiendagrupojagr.com self-care360.com foreignexchage.com loan-stalemate.info hrsimrnsingh.com laserobsession.com primetimesmagazine.com teminyulon.xyz kanoondarab.com alpinefall.com tbmautosales.com 4g2020.com libertyquartermaster.com flavorfalafel.com generlitravel.com solvedfp.icu jamnvibez.com zmx258.com doudiangroup.com dancecenterwest.com ryantheeconomist.com beeofthehive.com bluelearn.world vivalasplantas.com yumiacraftlab.com shophere247365.com enjoybespokenwords.com windajol.com ctgbazar.xyz afcerd.com dateprotect.com northeastonmusic.com fourwaira.com forschungsraumtheater.com islameraloke.com mavericksone.com whguideinfrared.com akomandr.com experts-portail.com ambassadorworldnews.com case-kangaroo.com theglobalbusinessmentor.com igforoldpeople.com royalglossesbss.com merxeduct.com |
Signatures
-
Formbook Payload ⋅ 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1036-62-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1036-63-0x000000000041EB80-mapping.dmp formbook behavioral1/memory/1300-71-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Deletes itself ⋅ 1 IoCs
Processes:
cmd.exepid process 1016 cmd.exe -
Suspicious use of SetThreadContext ⋅ 3 IoCs
Processes:
dllhost.exedllhost.execolorcpl.exedescription pid process target process PID 1324 set thread context of 1036 1324 dllhost.exe dllhost.exe PID 1036 set thread context of 1244 1036 dllhost.exe Explorer.EXE PID 1300 set thread context of 1244 1300 colorcpl.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses ⋅ 28 IoCs
Processes:
dllhost.exedllhost.execolorcpl.exepid process 1324 dllhost.exe 1324 dllhost.exe 1324 dllhost.exe 1324 dllhost.exe 1324 dllhost.exe 1324 dllhost.exe 1324 dllhost.exe 1036 dllhost.exe 1036 dllhost.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe 1300 colorcpl.exe -
Suspicious behavior: MapViewOfSection ⋅ 5 IoCs
Processes:
dllhost.execolorcpl.exepid process 1036 dllhost.exe 1036 dllhost.exe 1036 dllhost.exe 1300 colorcpl.exe 1300 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
Processes:
dllhost.exedllhost.execolorcpl.exedescription pid process Token: SeDebugPrivilege 1324 dllhost.exe Token: SeDebugPrivilege 1036 dllhost.exe Token: SeDebugPrivilege 1300 colorcpl.exe -
Suspicious use of FindShellTrayWindow ⋅ 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage ⋅ 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory ⋅ 15 IoCs
Processes:
dllhost.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1324 wrote to memory of 1036 1324 dllhost.exe dllhost.exe PID 1324 wrote to memory of 1036 1324 dllhost.exe dllhost.exe PID 1324 wrote to memory of 1036 1324 dllhost.exe dllhost.exe PID 1324 wrote to memory of 1036 1324 dllhost.exe dllhost.exe PID 1324 wrote to memory of 1036 1324 dllhost.exe dllhost.exe PID 1324 wrote to memory of 1036 1324 dllhost.exe dllhost.exe PID 1324 wrote to memory of 1036 1324 dllhost.exe dllhost.exe PID 1244 wrote to memory of 1300 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 1300 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 1300 1244 Explorer.EXE colorcpl.exe PID 1244 wrote to memory of 1300 1244 Explorer.EXE colorcpl.exe PID 1300 wrote to memory of 1016 1300 colorcpl.exe cmd.exe PID 1300 wrote to memory of 1016 1300 colorcpl.exe cmd.exe PID 1300 wrote to memory of 1016 1300 colorcpl.exe cmd.exe PID 1300 wrote to memory of 1016 1300 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXESuspicious use of FindShellTrayWindowSuspicious use of SendNotifyMessageSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"Suspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"Suspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"Suspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"Deletes itself
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
memory/1016-72-0x0000000000000000-mapping.dmp
-
memory/1036-65-0x0000000000A70000-0x0000000000D73000-memory.dmp
-
memory/1036-66-0x00000000001D0000-0x00000000001E4000-memory.dmp
-
memory/1036-60-0x0000000000400000-0x000000000042E000-memory.dmp
-
memory/1036-61-0x0000000000400000-0x000000000042E000-memory.dmp
-
memory/1036-62-0x0000000000400000-0x000000000042E000-memory.dmp
-
memory/1036-63-0x000000000041EB80-mapping.dmp
-
memory/1244-75-0x00000000062B0000-0x00000000063D1000-memory.dmp
-
memory/1244-67-0x0000000004AB0000-0x0000000004B87000-memory.dmp
-
memory/1300-68-0x0000000000000000-mapping.dmp
-
memory/1300-70-0x0000000000BA0000-0x0000000000BB8000-memory.dmp
-
memory/1300-71-0x0000000000080000-0x00000000000AE000-memory.dmp
-
memory/1300-73-0x0000000001FC0000-0x00000000022C3000-memory.dmp
-
memory/1300-74-0x0000000000890000-0x0000000000923000-memory.dmp
-
memory/1324-59-0x0000000004C00000-0x0000000004C50000-memory.dmp
-
memory/1324-58-0x0000000000440000-0x0000000000445000-memory.dmp
-
memory/1324-54-0x0000000000120000-0x0000000000121000-memory.dmp
-
memory/1324-57-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
-
memory/1324-56-0x0000000075661000-0x0000000075663000-memory.dmp