Analysis
-
max time kernel
127s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 08:46
Static task
static1
Behavioral task
behavioral1
Sample
f6ebd6f0fe20fe561d1cf5d6aea5201712a0eabf4624c863a5ab6d44b1f57755.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f6ebd6f0fe20fe561d1cf5d6aea5201712a0eabf4624c863a5ab6d44b1f57755.dll
Resource
win10v2004-en-20220113
General
-
Target
f6ebd6f0fe20fe561d1cf5d6aea5201712a0eabf4624c863a5ab6d44b1f57755.dll
-
Size
242KB
-
MD5
e7371f007db56cf6c0ec2880db0984f7
-
SHA1
26d3cd9a7c0fe17d6b24053acf427493fdba1fb1
-
SHA256
f6ebd6f0fe20fe561d1cf5d6aea5201712a0eabf4624c863a5ab6d44b1f57755
-
SHA512
231a70f0f88d729e1990fa78e6627478ae5f04c2bd8ac4180b02b9c7e35f7063db074e3b29917aefeb62b1a57d0d718c97a77c4a8d1489b0f3806848fb5e26da
Malware Config
Extracted
zloader
id1
MainTry
https://axisbasis.xyz/data.php
-
build_id
31
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1756 set thread context of 1680 1756 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1680 msiexec.exe Token: SeSecurityPrivilege 1680 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1624 wrote to memory of 1756 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1756 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1756 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1756 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1756 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1756 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1756 1624 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1680 1756 rundll32.exe msiexec.exe PID 1756 wrote to memory of 1680 1756 rundll32.exe msiexec.exe PID 1756 wrote to memory of 1680 1756 rundll32.exe msiexec.exe PID 1756 wrote to memory of 1680 1756 rundll32.exe msiexec.exe PID 1756 wrote to memory of 1680 1756 rundll32.exe msiexec.exe PID 1756 wrote to memory of 1680 1756 rundll32.exe msiexec.exe PID 1756 wrote to memory of 1680 1756 rundll32.exe msiexec.exe PID 1756 wrote to memory of 1680 1756 rundll32.exe msiexec.exe PID 1756 wrote to memory of 1680 1756 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6ebd6f0fe20fe561d1cf5d6aea5201712a0eabf4624c863a5ab6d44b1f57755.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6ebd6f0fe20fe561d1cf5d6aea5201712a0eabf4624c863a5ab6d44b1f57755.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1680-56-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1680-57-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1680-58-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1680-61-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1756-54-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/1756-55-0x0000000000160000-0x00000000001A1000-memory.dmpFilesize
260KB
-
memory/1756-59-0x00000000001C0000-0x0000000000201000-memory.dmpFilesize
260KB