Analysis
-
max time kernel
124s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 10:46
General
-
Target
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll
-
Size
276KB
-
MD5
0448f77a9999f945a136305716eabe49
-
SHA1
7d906884962033eb5381fcb018fce79779578584
-
SHA256
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa
-
SHA512
3270f2a146bf94a5e6981e6d99fde8b9204bb90f5b6b04305261fb6bc10541664bd2f8d6cde290e4296f81c602b649ed6ffc6315c67590506625e59f8263e6db
Malware Config
Extracted
zloader
DLLobnova
hihiupdate
https://fdsjfjdsfjdsdsjajjs.com/gate.php
https://idisaudhasdhasdj.com/gate.php
https://dsjdjsjdsadhasdas.com/gate.php
https://dsdjfhdsufudhjas.com/gate.php
https://dsdjfhdsufudhjas.info/gate.php
https://fdsjfjdsfjdsdsjajjs.info/gate.php
https://idisaudhasdhasdj.info/gate.php
https://dsdjfhdsufudhjas.pro/gate.php
https://dsdjfhd9ddksaas.pro/gate.php
-
build_id
7
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Blocklisted process makes network request 8 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll,#12⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-57-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1488-56-0x0000000000090000-0x00000000000C2000-memory.dmpFilesize
200KB
-
memory/1488-58-0x0000000000090000-0x00000000000C2000-memory.dmpFilesize
200KB
-
memory/1488-62-0x0000000000090000-0x00000000000C2000-memory.dmpFilesize
200KB
-
memory/1588-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB
-
memory/1588-59-0x0000000074E60000-0x0000000074E71000-memory.dmpFilesize
68KB
-
memory/1588-60-0x0000000074E10000-0x0000000074E56000-memory.dmpFilesize
280KB