Analysis
-
max time kernel
81s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 11:34
Static task
static1
Behavioral task
behavioral1
Sample
SophosAmsiProvider.dll
Resource
win7-en-20210920
General
-
Target
SophosAmsiProvider.dll
-
Size
432KB
-
MD5
2b3251fe929788b34fd4af2b12c0ca09
-
SHA1
c58283831eb0d495b42236ff1ee59b05d6101873
-
SHA256
eecf912bfb121a06499dd43e8f62381d18a8b9efdc9e57aa2ae3d355cb28794e
-
SHA512
dd202ac9207c9e481911f29892c7fab12dc394349c51b318ab436d93c57f3217b3f52ba5bbc5fe0722bb5375fdd379810baaee334cc21cd34e7c09f357bfc386
Malware Config
Extracted
zloader
vasja
vasja
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2704 wrote to memory of 2724 2704 regsvr32.exe regsvr32.exe PID 2704 wrote to memory of 2724 2704 regsvr32.exe regsvr32.exe PID 2704 wrote to memory of 2724 2704 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\SophosAmsiProvider.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\SophosAmsiProvider.dll2⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1208-118-0x0000000000DD0000-0x0000000000DF6000-memory.dmpFilesize
152KB
-
memory/1208-119-0x0000000000000000-mapping.dmp
-
memory/1208-121-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/1208-120-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/1208-122-0x0000000000DD0000-0x0000000000DF6000-memory.dmpFilesize
152KB
-
memory/2724-115-0x0000000000000000-mapping.dmp
-
memory/2724-116-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/2724-117-0x0000000010000000-0x0000000010081000-memory.dmpFilesize
516KB