Analysis
-
max time kernel
117s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 04:10
Static task
static1
Behavioral task
behavioral1
Sample
be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb.vbs
Resource
win10v2004-en-20220113
General
-
Target
be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb.vbs
-
Size
1.0MB
-
MD5
7e8c741445cde9246b96c96a9cb89cd1
-
SHA1
93409daece5165c0916e4e45d4c62292f57b34db
-
SHA256
be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb
-
SHA512
6d27fefa6c01fc07cd5d7ea2d69f9a061ac6438327dec2b1474316c0601ed3f7baeeb37b1fcfac0128274bec9d50f27e5006364006f419927de499cd159a411a
Malware Config
Extracted
zloader
main
29.03.2020
https://postgringos.com/sound.php
https://tetraslims.com/sound.php
https://greenrumba.com/sound.php
https://starterdatas.com/sound.php
https://nexycombats.com/sound.php
https://peermems.com/sound.php
https://fotonums.com/sound.php
https://hibsurf.com/sound.php
https://buhismus.com/sound.php
https://spensores.com/sound.php
-
build_id
30
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 528 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1532 rundll32.exe 1532 rundll32.exe 1532 rundll32.exe 1532 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ydyn = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Lyku\\akeskeap.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1532 set thread context of 1860 1532 rundll32.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1860 msiexec.exe Token: SeSecurityPrivilege 1860 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 1632 WScript.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 620 wrote to memory of 1532 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 1532 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 1532 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 1532 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 1532 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 1532 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 1532 620 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1860 1532 rundll32.exe msiexec.exe PID 1532 wrote to memory of 1860 1532 rundll32.exe msiexec.exe PID 1532 wrote to memory of 1860 1532 rundll32.exe msiexec.exe PID 1532 wrote to memory of 1860 1532 rundll32.exe msiexec.exe PID 1532 wrote to memory of 1860 1532 rundll32.exe msiexec.exe PID 1532 wrote to memory of 1860 1532 rundll32.exe msiexec.exe PID 1532 wrote to memory of 1860 1532 rundll32.exe msiexec.exe PID 1532 wrote to memory of 1860 1532 rundll32.exe msiexec.exe PID 1532 wrote to memory of 1860 1532 rundll32.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be73a8b0548f93351984b116d42f6559311fdb6e757dcd174958d8b0028ac1fb.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exe,DllRegisterServer1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exe,DllRegisterServer2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exeMD5
24f98dee17042e0bd3f723f7bbfa839f
SHA110123cbacb225b078c8e0a847da9e020bc0119e1
SHA2568542bf1c3c7532f11fc39b4b6a20a08ef5bd0c8d42e3262028d4ffdbc5aa88f8
SHA5120db0794e2547015695e40db1d419c944f1d955aa3f3ae3b673900f995b9a45126097f4a6a6029dbe7bfb87ed694bc024f720b05172332b1f41a8600a8bfd3b6f
-
\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exeMD5
24f98dee17042e0bd3f723f7bbfa839f
SHA110123cbacb225b078c8e0a847da9e020bc0119e1
SHA2568542bf1c3c7532f11fc39b4b6a20a08ef5bd0c8d42e3262028d4ffdbc5aa88f8
SHA5120db0794e2547015695e40db1d419c944f1d955aa3f3ae3b673900f995b9a45126097f4a6a6029dbe7bfb87ed694bc024f720b05172332b1f41a8600a8bfd3b6f
-
\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exeMD5
24f98dee17042e0bd3f723f7bbfa839f
SHA110123cbacb225b078c8e0a847da9e020bc0119e1
SHA2568542bf1c3c7532f11fc39b4b6a20a08ef5bd0c8d42e3262028d4ffdbc5aa88f8
SHA5120db0794e2547015695e40db1d419c944f1d955aa3f3ae3b673900f995b9a45126097f4a6a6029dbe7bfb87ed694bc024f720b05172332b1f41a8600a8bfd3b6f
-
\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exeMD5
24f98dee17042e0bd3f723f7bbfa839f
SHA110123cbacb225b078c8e0a847da9e020bc0119e1
SHA2568542bf1c3c7532f11fc39b4b6a20a08ef5bd0c8d42e3262028d4ffdbc5aa88f8
SHA5120db0794e2547015695e40db1d419c944f1d955aa3f3ae3b673900f995b9a45126097f4a6a6029dbe7bfb87ed694bc024f720b05172332b1f41a8600a8bfd3b6f
-
\Users\Admin\AppData\Local\Temp\VrSiekwRtfHPpfg.exeMD5
24f98dee17042e0bd3f723f7bbfa839f
SHA110123cbacb225b078c8e0a847da9e020bc0119e1
SHA2568542bf1c3c7532f11fc39b4b6a20a08ef5bd0c8d42e3262028d4ffdbc5aa88f8
SHA5120db0794e2547015695e40db1d419c944f1d955aa3f3ae3b673900f995b9a45126097f4a6a6029dbe7bfb87ed694bc024f720b05172332b1f41a8600a8bfd3b6f
-
memory/1532-57-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB
-
memory/1532-62-0x0000000000680000-0x00000000006CD000-memory.dmpFilesize
308KB
-
memory/1532-63-0x0000000010000000-0x00000000100D6000-memory.dmpFilesize
856KB
-
memory/1632-54-0x000007FEFC031000-0x000007FEFC033000-memory.dmpFilesize
8KB
-
memory/1632-55-0x0000000001ED0000-0x0000000001ED1000-memory.dmpFilesize
4KB
-
memory/1860-65-0x0000000000090000-0x00000000000C1000-memory.dmpFilesize
196KB
-
memory/1860-64-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1860-66-0x0000000000090000-0x00000000000C1000-memory.dmpFilesize
196KB
-
memory/1860-68-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB