Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19/03/2022, 10:41
Static task
static1
Behavioral task
behavioral1
Sample
a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll
Resource
win7-20220310-en
General
-
Target
a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll
-
Size
520KB
-
MD5
2db23f40f56413146f1c2b1d445cbcf5
-
SHA1
d562a4950987411676f6ef2486d9fa3525fcc39a
-
SHA256
a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b
-
SHA512
2d0ed0c47252a5588579aa79cfa5654f3c954ccf11362c7a490380c04d6365ab3f35d577d417cb5445811419afb7491a2982494047f2676692e5ae3c57756b76
Malware Config
Extracted
zloader
nut
11/12
https://www.businessinsurancelaw.com/wp-punch.php
https://squire.ae/wp-punch.php
https://lamun.pk/wp-punch.php
https://www.rcclabbd.com/wp-punch.php
https://thecype.com/wp-punch.php
https://theterteboltallbrow.tk/wp-smarts.php
-
build_id
286
Signatures
-
suricata: ET MALWARE Zbot POST Request to C2
suricata: ET MALWARE Zbot POST Request to C2
-
Blocklisted process makes network request 22 IoCs
flow pid Process 17 5092 msiexec.exe 18 5092 msiexec.exe 19 5092 msiexec.exe 20 5092 msiexec.exe 25 5092 msiexec.exe 27 5092 msiexec.exe 41 5092 msiexec.exe 42 5092 msiexec.exe 50 5092 msiexec.exe 51 5092 msiexec.exe 57 5092 msiexec.exe 58 5092 msiexec.exe 60 5092 msiexec.exe 61 5092 msiexec.exe 62 5092 msiexec.exe 63 5092 msiexec.exe 64 5092 msiexec.exe 65 5092 msiexec.exe 67 5092 msiexec.exe 68 5092 msiexec.exe 72 5092 msiexec.exe 76 5092 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4884 set thread context of 5092 4884 rundll32.exe 83 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 5092 msiexec.exe Token: SeSecurityPrivilege 5092 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4476 wrote to memory of 4884 4476 rundll32.exe 80 PID 4476 wrote to memory of 4884 4476 rundll32.exe 80 PID 4476 wrote to memory of 4884 4476 rundll32.exe 80 PID 4884 wrote to memory of 5092 4884 rundll32.exe 83 PID 4884 wrote to memory of 5092 4884 rundll32.exe 83 PID 4884 wrote to memory of 5092 4884 rundll32.exe 83 PID 4884 wrote to memory of 5092 4884 rundll32.exe 83 PID 4884 wrote to memory of 5092 4884 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a104e1e3befda44a812d3c98177b05bdcb15ca48a60002b5d13256994741915b.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-