Analysis
-
max time kernel
127s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 04:31
Behavioral task
behavioral1
Sample
af62641d0be903ea60f9e26caf913f886b21460f7ccacab2df809e6de0a72dbf.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
af62641d0be903ea60f9e26caf913f886b21460f7ccacab2df809e6de0a72dbf.dll
Resource
win10v2004-en-20220113
General
-
Target
af62641d0be903ea60f9e26caf913f886b21460f7ccacab2df809e6de0a72dbf.dll
-
Size
454KB
-
MD5
6a996ad9b92e21065fa2e482281eaa58
-
SHA1
2c058d0ffd86f97a666e84a24e5be373128ab1d1
-
SHA256
af62641d0be903ea60f9e26caf913f886b21460f7ccacab2df809e6de0a72dbf
-
SHA512
ca7c4eb14f41f156af235472d86951ef8deea2c2329452fa89a1a3928482c73aa81664c4862ec4c9b5486ab803d69d67a1e6d7ef5975e9f45cb5c20059f48b95
Malware Config
Extracted
zloader
Mar31
Canada
http://march262020.best/post.php
http://march262020.club/post.php
http://march262020.com/post.php
http://march262020.live/post.php
http://march262020.network/post.php
http://march262020.online/post.php
http://march262020.site/post.php
http://march262020.store/post.php
http://march262020.tech/post.php
-
build_id
87
Signatures
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Blocklisted process makes network request 14 IoCs
Processes:
msiexec.exeflow pid process 5 1560 msiexec.exe 7 1560 msiexec.exe 9 1560 msiexec.exe 11 1560 msiexec.exe 13 1560 msiexec.exe 14 1560 msiexec.exe 15 1560 msiexec.exe 16 1560 msiexec.exe 17 1560 msiexec.exe 18 1560 msiexec.exe 20 1560 msiexec.exe 22 1560 msiexec.exe 24 1560 msiexec.exe 26 1560 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qyehwyo = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Ziolr\\tirofyew.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1512 set thread context of 1560 1512 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1560 msiexec.exe Token: SeSecurityPrivilege 1560 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1704 wrote to memory of 1512 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1512 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1512 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1512 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1512 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1512 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 1512 1704 rundll32.exe rundll32.exe PID 1512 wrote to memory of 1560 1512 rundll32.exe msiexec.exe PID 1512 wrote to memory of 1560 1512 rundll32.exe msiexec.exe PID 1512 wrote to memory of 1560 1512 rundll32.exe msiexec.exe PID 1512 wrote to memory of 1560 1512 rundll32.exe msiexec.exe PID 1512 wrote to memory of 1560 1512 rundll32.exe msiexec.exe PID 1512 wrote to memory of 1560 1512 rundll32.exe msiexec.exe PID 1512 wrote to memory of 1560 1512 rundll32.exe msiexec.exe PID 1512 wrote to memory of 1560 1512 rundll32.exe msiexec.exe PID 1512 wrote to memory of 1560 1512 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af62641d0be903ea60f9e26caf913f886b21460f7ccacab2df809e6de0a72dbf.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af62641d0be903ea60f9e26caf913f886b21460f7ccacab2df809e6de0a72dbf.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1512-53-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1512-54-0x00000000001A0000-0x00000000001CD000-memory.dmpFilesize
180KB
-
memory/1512-55-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/1560-57-0x0000000000090000-0x00000000000C1000-memory.dmpFilesize
196KB
-
memory/1560-56-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1560-58-0x0000000000090000-0x00000000000C1000-memory.dmpFilesize
196KB
-
memory/1560-60-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB