Analysis
-
max time kernel
101s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 09:10
Static task
static1
Behavioral task
behavioral1
Sample
d3255ed380e290f4992701d1c10a3f65580b5e0aff384ab4308a8202d71f38a8.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d3255ed380e290f4992701d1c10a3f65580b5e0aff384ab4308a8202d71f38a8.dll
Resource
win10v2004-en-20220112
General
-
Target
d3255ed380e290f4992701d1c10a3f65580b5e0aff384ab4308a8202d71f38a8.dll
-
Size
275KB
-
MD5
39cb3387dedf5568efeb8ae071e9006e
-
SHA1
9e9005fe8e8817c87e8f55bb5ba41f12ec7724b0
-
SHA256
d3255ed380e290f4992701d1c10a3f65580b5e0aff384ab4308a8202d71f38a8
-
SHA512
ef496ca7b6aaa85df502a6eccc7fa1758b9bcc14ec194b451660444b4d8e23c3e67353432a3d653bf3936f0cf18df2abe239e7b4e5adb6eb8260aea07c1ca299
Malware Config
Extracted
zloader
DLLobnova
cookiesfix
https://fdsjfjdsfjdsdsjajjs.com/gate.php
https://idisaudhasdhasdj.com/gate.php
https://dsjdjsjdsadhasdas.com/gate.php
https://dsdjfhdsufudhjas.com/gate.php
https://dsdjfhdsufudhjas.info/gate.php
https://fdsjfjdsfjdsdsjajjs.info/gate.php
https://idisaudhasdhasdj.info/gate.php
https://dsdjfhdsufudhjas.pro/gate.php
https://dsdjfhd9ddksaas.pro/gate.php
-
build_id
25
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
msiexec.exeflow pid process 40 1348 msiexec.exe 42 1348 msiexec.exe 44 1348 msiexec.exe 46 1348 msiexec.exe 48 1348 msiexec.exe 50 1348 msiexec.exe 52 1348 msiexec.exe -
Sets service image path in registry 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihekfu = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Yxetb\\yzidibyv.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1548 set thread context of 1348 1548 rundll32.exe msiexec.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1348 msiexec.exe Token: SeSecurityPrivilege 1348 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1572 wrote to memory of 1548 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 1548 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 1548 1572 rundll32.exe rundll32.exe PID 1548 wrote to memory of 1348 1548 rundll32.exe msiexec.exe PID 1548 wrote to memory of 1348 1548 rundll32.exe msiexec.exe PID 1548 wrote to memory of 1348 1548 rundll32.exe msiexec.exe PID 1548 wrote to memory of 1348 1548 rundll32.exe msiexec.exe PID 1548 wrote to memory of 1348 1548 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d3255ed380e290f4992701d1c10a3f65580b5e0aff384ab4308a8202d71f38a8.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d3255ed380e290f4992701d1c10a3f65580b5e0aff384ab4308a8202d71f38a8.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe cf6b7114e69c4f57f467e5c1b8dc3181 L2KvMEPfV0mKrbOIcKwgBg.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵