Analysis
-
max time kernel
148s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 16:55
Static task
static1
Behavioral task
behavioral1
Sample
3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5.vbs
Resource
win10v2004-en-20220113
General
-
Target
3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5.vbs
-
Size
1.1MB
-
MD5
88cb1b3a2c58a40c6ecbd2897465337d
-
SHA1
2e866fde78317929b59ed9cf63806116b38a0602
-
SHA256
3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5
-
SHA512
08450aaefbe3cce898ac8c6dcb5b065b773fdd2b0f66a630711b85d5510f8553f8d19fa6e634d42a6508deb46c10162b2ed74fd3a433f727799a56bbe4cc1bbc
Malware Config
Extracted
zloader
main
01.04.2020
https://postgringos.com/sound.php
https://tetraslims.com/sound.php
https://starterdatas.com/sound.php
https://nexycombats.com/sound.php
https://hibsurf.com/sound.php
https://buhismus.com/sound.php
https://spensores.com/sound.php
https://zonaa.org/sound.php
https://smoash.org/sound.php
-
build_id
31
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 1596 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1068 rundll32.exe 1068 rundll32.exe 1068 rundll32.exe 1068 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yxhaopl = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Ubxoov\\wehexa.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1068 set thread context of 556 1068 rundll32.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 556 msiexec.exe Token: SeSecurityPrivilege 556 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 2024 WScript.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 980 wrote to memory of 1068 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1068 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1068 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1068 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1068 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1068 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1068 980 rundll32.exe rundll32.exe PID 1068 wrote to memory of 556 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 556 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 556 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 556 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 556 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 556 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 556 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 556 1068 rundll32.exe msiexec.exe PID 1068 wrote to memory of 556 1068 rundll32.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3707ad9488f65a2425dc524d7a496e4458410d31b576348487993272505018f5.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exe,DllRegisterServer1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exe,DllRegisterServer2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exeMD5
fcb76558dbf86a26c4bdd2811d5d06b6
SHA1dabfb88a8dea9c8c258be021a3d190e145a65847
SHA25681a9eb444ffc7c5a700d4da6198c2f929d0e312d38667b9d3e29740eccabca3f
SHA51201f4f2457a7660fed51afb1b99f856eaae1398d4e8291c91adf1fdd7343f68e16a18d6e3054f2c6d063b785b51ccc3da4da6aae3544a697902aa70716ad96471
-
\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exeMD5
fcb76558dbf86a26c4bdd2811d5d06b6
SHA1dabfb88a8dea9c8c258be021a3d190e145a65847
SHA25681a9eb444ffc7c5a700d4da6198c2f929d0e312d38667b9d3e29740eccabca3f
SHA51201f4f2457a7660fed51afb1b99f856eaae1398d4e8291c91adf1fdd7343f68e16a18d6e3054f2c6d063b785b51ccc3da4da6aae3544a697902aa70716ad96471
-
\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exeMD5
fcb76558dbf86a26c4bdd2811d5d06b6
SHA1dabfb88a8dea9c8c258be021a3d190e145a65847
SHA25681a9eb444ffc7c5a700d4da6198c2f929d0e312d38667b9d3e29740eccabca3f
SHA51201f4f2457a7660fed51afb1b99f856eaae1398d4e8291c91adf1fdd7343f68e16a18d6e3054f2c6d063b785b51ccc3da4da6aae3544a697902aa70716ad96471
-
\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exeMD5
fcb76558dbf86a26c4bdd2811d5d06b6
SHA1dabfb88a8dea9c8c258be021a3d190e145a65847
SHA25681a9eb444ffc7c5a700d4da6198c2f929d0e312d38667b9d3e29740eccabca3f
SHA51201f4f2457a7660fed51afb1b99f856eaae1398d4e8291c91adf1fdd7343f68e16a18d6e3054f2c6d063b785b51ccc3da4da6aae3544a697902aa70716ad96471
-
\Users\Admin\AppData\Local\Temp\sRjbEZvCFOESXQJ.exeMD5
fcb76558dbf86a26c4bdd2811d5d06b6
SHA1dabfb88a8dea9c8c258be021a3d190e145a65847
SHA25681a9eb444ffc7c5a700d4da6198c2f929d0e312d38667b9d3e29740eccabca3f
SHA51201f4f2457a7660fed51afb1b99f856eaae1398d4e8291c91adf1fdd7343f68e16a18d6e3054f2c6d063b785b51ccc3da4da6aae3544a697902aa70716ad96471
-
memory/556-64-0x0000000000090000-0x00000000000C1000-memory.dmpFilesize
196KB
-
memory/556-63-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/556-65-0x0000000000090000-0x00000000000C1000-memory.dmpFilesize
196KB
-
memory/556-67-0x0000000000090000-0x00000000000C0000-memory.dmpFilesize
192KB
-
memory/1068-56-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB
-
memory/1068-61-0x00000000001D0000-0x0000000000223000-memory.dmpFilesize
332KB
-
memory/1068-62-0x0000000010000000-0x00000000100B3000-memory.dmpFilesize
716KB
-
memory/2024-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmpFilesize
8KB