Analysis
-
max time kernel
138s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
13-02-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
4a9cfd8221644b4405bd77cbde8623e55199e50f315ba1ac9c696e75d04e3ece.dll
Resource
win7-en-20211208
General
-
Target
4a9cfd8221644b4405bd77cbde8623e55199e50f315ba1ac9c696e75d04e3ece.dll
-
Size
1.1MB
-
MD5
d4c65c56fa4bc016c835310778682dd8
-
SHA1
dfd390331c9f0de6c9681466c09e46feff88e7bb
-
SHA256
4a9cfd8221644b4405bd77cbde8623e55199e50f315ba1ac9c696e75d04e3ece
-
SHA512
bdcacb45eb4b2d25ae6c3630e2c2442c843c4688db3be12850d8ff255f29dafda8292e709a9d180938a5e210cac5248d60a951cfe7265f36f596b846af334e8d
Malware Config
Extracted
zloader
Jho
25/05
https://tentrhetarav.gq/wp-parser.php
https://slidirinisprec.ml/wp-parser.php
https://iedison.vip/wp-parser.php
https://financiallifecoaching.com/wp-parser.php
https://fly2go.cn/wp-parser.php
-
build_id
230
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4132 set thread context of 1664 4132 rundll32.exe msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3808 svchost.exe Token: SeCreatePagefilePrivilege 3808 svchost.exe Token: SeShutdownPrivilege 3808 svchost.exe Token: SeCreatePagefilePrivilege 3808 svchost.exe Token: SeShutdownPrivilege 3808 svchost.exe Token: SeCreatePagefilePrivilege 3808 svchost.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe Token: SeRestorePrivilege 2160 TiWorker.exe Token: SeSecurityPrivilege 2160 TiWorker.exe Token: SeBackupPrivilege 2160 TiWorker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3616 wrote to memory of 4132 3616 rundll32.exe rundll32.exe PID 3616 wrote to memory of 4132 3616 rundll32.exe rundll32.exe PID 3616 wrote to memory of 4132 3616 rundll32.exe rundll32.exe PID 4132 wrote to memory of 1664 4132 rundll32.exe msiexec.exe PID 4132 wrote to memory of 1664 4132 rundll32.exe msiexec.exe PID 4132 wrote to memory of 1664 4132 rundll32.exe msiexec.exe PID 4132 wrote to memory of 1664 4132 rundll32.exe msiexec.exe PID 4132 wrote to memory of 1664 4132 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a9cfd8221644b4405bd77cbde8623e55199e50f315ba1ac9c696e75d04e3ece.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a9cfd8221644b4405bd77cbde8623e55199e50f315ba1ac9c696e75d04e3ece.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-137-0x00000000006B0000-0x00000000006E5000-memory.dmpFilesize
212KB
-
memory/1664-138-0x00000000006B0000-0x00000000006E5000-memory.dmpFilesize
212KB
-
memory/3808-130-0x000001CBCAD20000-0x000001CBCAD30000-memory.dmpFilesize
64KB
-
memory/3808-131-0x000001CBCAD80000-0x000001CBCAD90000-memory.dmpFilesize
64KB
-
memory/3808-132-0x000001CBCD460000-0x000001CBCD464000-memory.dmpFilesize
16KB
-
memory/4132-133-0x0000000075470000-0x00000000754A5000-memory.dmpFilesize
212KB
-
memory/4132-134-0x0000000075470000-0x0000000075689000-memory.dmpFilesize
2.1MB
-
memory/4132-135-0x0000000075563000-0x0000000075566000-memory.dmpFilesize
12KB
-
memory/4132-136-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB