Analysis
-
max time kernel
153s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
1be04e51510b2aafb51598838b97124a73952c46b17d3d1c38254dd6d94e82a7.dll
Resource
win7-en-20211208
General
-
Target
1be04e51510b2aafb51598838b97124a73952c46b17d3d1c38254dd6d94e82a7.dll
-
Size
274KB
-
MD5
11abbd1cd5e968e03b053426b33e64e1
-
SHA1
7e1bc02b6bc16d4df3f532c8e8498f898ed0acb6
-
SHA256
1be04e51510b2aafb51598838b97124a73952c46b17d3d1c38254dd6d94e82a7
-
SHA512
36ef0aa604b36e0e2cdeaded3f4e0593a63747ee80ea114a6ad771d3744c2f56a840148d9b47e7710689d08c8e7f7ffed6d318c99c68b26dcffef8b595e22bc8
Malware Config
Extracted
zloader
banking
banking
https://iloveyoubaby1.pro/gate.php
https://idsakjfsanfaskj.com/gate.php
https://fslakdasjdnsasjsj.com/gate.php
https://dksadjsahnfaskmsa.com/gate.php
https://dskdsajdsahda.info/gate.php
https://dskdsajdsadasda.info/gate.php
https://dskjdsadhsahjsas.info/gate.php
https://dsjadjsadjsadjafsa.info/gate.php
https://fsakjdsafasifkajfaf.pro/gate.php
https://djsadhsadsadjashs.pro/gate.php
-
build_id
3
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 5 1652 msiexec.exe 7 1652 msiexec.exe 13 1652 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Alhimiu = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Emtir\\buha.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 960 set thread context of 1652 960 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1652 msiexec.exe Token: SeSecurityPrivilege 1652 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 944 wrote to memory of 960 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 960 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 960 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 960 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 960 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 960 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 960 944 rundll32.exe rundll32.exe PID 960 wrote to memory of 1652 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1652 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1652 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1652 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1652 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1652 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1652 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1652 960 rundll32.exe msiexec.exe PID 960 wrote to memory of 1652 960 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1be04e51510b2aafb51598838b97124a73952c46b17d3d1c38254dd6d94e82a7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1be04e51510b2aafb51598838b97124a73952c46b17d3d1c38254dd6d94e82a7.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1652