Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 04:31
Static task
static1
Behavioral task
behavioral1
Sample
af6af9c2d50e7c692521dac219b7f2f23c6b677216267dcbaf44bd44f7290d70.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
af6af9c2d50e7c692521dac219b7f2f23c6b677216267dcbaf44bd44f7290d70.dll
Resource
win10v2004-en-20220112
General
-
Target
af6af9c2d50e7c692521dac219b7f2f23c6b677216267dcbaf44bd44f7290d70.dll
-
Size
830KB
-
MD5
05df30ff372ff1d27ab4874b50565c8f
-
SHA1
e5e16ba4f24fd939e6ece581704ac6ca9df4b0d6
-
SHA256
af6af9c2d50e7c692521dac219b7f2f23c6b677216267dcbaf44bd44f7290d70
-
SHA512
ff152d5327fe7c3abeed6f74c3f5173de8bb228b6207036d9bc086eaeb164781118b6eb2fbae648ad06c59f862c902b8735099d63022dd661f6e5183631b97f8
Malware Config
Extracted
zloader
main
23.03.2020
https://hustlertest.com/sound.php
https://dandycodes.com/sound.php
https://sandyfotos.com/sound.php
-
build_id
26
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ynfidea = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Onex\\evniypyh.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 788 set thread context of 1600 788 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1600 msiexec.exe Token: SeSecurityPrivilege 1600 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 732 wrote to memory of 788 732 rundll32.exe rundll32.exe PID 732 wrote to memory of 788 732 rundll32.exe rundll32.exe PID 732 wrote to memory of 788 732 rundll32.exe rundll32.exe PID 732 wrote to memory of 788 732 rundll32.exe rundll32.exe PID 732 wrote to memory of 788 732 rundll32.exe rundll32.exe PID 732 wrote to memory of 788 732 rundll32.exe rundll32.exe PID 732 wrote to memory of 788 732 rundll32.exe rundll32.exe PID 788 wrote to memory of 1600 788 rundll32.exe msiexec.exe PID 788 wrote to memory of 1600 788 rundll32.exe msiexec.exe PID 788 wrote to memory of 1600 788 rundll32.exe msiexec.exe PID 788 wrote to memory of 1600 788 rundll32.exe msiexec.exe PID 788 wrote to memory of 1600 788 rundll32.exe msiexec.exe PID 788 wrote to memory of 1600 788 rundll32.exe msiexec.exe PID 788 wrote to memory of 1600 788 rundll32.exe msiexec.exe PID 788 wrote to memory of 1600 788 rundll32.exe msiexec.exe PID 788 wrote to memory of 1600 788 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af6af9c2d50e7c692521dac219b7f2f23c6b677216267dcbaf44bd44f7290d70.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af6af9c2d50e7c692521dac219b7f2f23c6b677216267dcbaf44bd44f7290d70.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/788-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB
-
memory/788-56-0x0000000000220000-0x000000000026C000-memory.dmpFilesize
304KB
-
memory/788-57-0x0000000010000000-0x00000000100D1000-memory.dmpFilesize
836KB
-
memory/1600-58-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1600-59-0x0000000000090000-0x00000000000C1000-memory.dmpFilesize
196KB
-
memory/1600-60-0x0000000000090000-0x00000000000C1000-memory.dmpFilesize
196KB
-
memory/1600-62-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB