Analysis
-
max time kernel
124s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 10:46
Static task
static1
Behavioral task
behavioral1
Sample
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll
Resource
win10v2004-en-20220113
General
-
Target
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll
-
Size
276KB
-
MD5
0448f77a9999f945a136305716eabe49
-
SHA1
7d906884962033eb5381fcb018fce79779578584
-
SHA256
219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa
-
SHA512
3270f2a146bf94a5e6981e6d99fde8b9204bb90f5b6b04305261fb6bc10541664bd2f8d6cde290e4296f81c602b649ed6ffc6315c67590506625e59f8263e6db
Malware Config
Extracted
zloader
DLLobnova
hihiupdate
https://fdsjfjdsfjdsdsjajjs.com/gate.php
https://idisaudhasdhasdj.com/gate.php
https://dsjdjsjdsadhasdas.com/gate.php
https://dsdjfhdsufudhjas.com/gate.php
https://dsdjfhdsufudhjas.info/gate.php
https://fdsjfjdsfjdsdsjajjs.info/gate.php
https://idisaudhasdhasdj.info/gate.php
https://dsdjfhdsufudhjas.pro/gate.php
https://dsdjfhd9ddksaas.pro/gate.php
-
build_id
7
Signatures
-
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Blocklisted process makes network request 8 IoCs
Processes:
msiexec.exeflow pid process 5 1488 msiexec.exe 7 1488 msiexec.exe 9 1488 msiexec.exe 11 1488 msiexec.exe 13 1488 msiexec.exe 15 1488 msiexec.exe 17 1488 msiexec.exe 19 1488 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anaw = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Azbo\\olig.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1588 set thread context of 1488 1588 rundll32.exe msiexec.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\ rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1488 msiexec.exe Token: SeSecurityPrivilege 1488 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
rundll32.exepid process 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
rundll32.exepid process 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 740 wrote to memory of 1588 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1588 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1588 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1588 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1588 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1588 740 rundll32.exe rundll32.exe PID 740 wrote to memory of 1588 740 rundll32.exe rundll32.exe PID 1588 wrote to memory of 1488 1588 rundll32.exe msiexec.exe PID 1588 wrote to memory of 1488 1588 rundll32.exe msiexec.exe PID 1588 wrote to memory of 1488 1588 rundll32.exe msiexec.exe PID 1588 wrote to memory of 1488 1588 rundll32.exe msiexec.exe PID 1588 wrote to memory of 1488 1588 rundll32.exe msiexec.exe PID 1588 wrote to memory of 1488 1588 rundll32.exe msiexec.exe PID 1588 wrote to memory of 1488 1588 rundll32.exe msiexec.exe PID 1588 wrote to memory of 1488 1588 rundll32.exe msiexec.exe PID 1588 wrote to memory of 1488 1588 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa.dll,#12⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-57-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1488-56-0x0000000000090000-0x00000000000C2000-memory.dmpFilesize
200KB
-
memory/1488-58-0x0000000000090000-0x00000000000C2000-memory.dmpFilesize
200KB
-
memory/1488-62-0x0000000000090000-0x00000000000C2000-memory.dmpFilesize
200KB
-
memory/1588-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB
-
memory/1588-59-0x0000000074E60000-0x0000000074E71000-memory.dmpFilesize
68KB
-
memory/1588-60-0x0000000074E10000-0x0000000074E56000-memory.dmpFilesize
280KB