Analysis
-
max time kernel
134s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:37
Static task
static1
Behavioral task
behavioral1
Sample
dbeba2fb33aaba42768a5ed8055cc8ca4009ad1921319f90c78b78d4f0dd9f7b.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
dbeba2fb33aaba42768a5ed8055cc8ca4009ad1921319f90c78b78d4f0dd9f7b.dll
-
Size
489KB
-
MD5
8c293fe05b3af514723a1639810c06a3
-
SHA1
ac2f7668c7f3049930b52a83585ac479145cd059
-
SHA256
dbeba2fb33aaba42768a5ed8055cc8ca4009ad1921319f90c78b78d4f0dd9f7b
-
SHA512
2f8db26e93c54b08944a4080e55595f348090086f849fe427f6f07b17a8a57926b1e0d6481356feb0846af0c01ffbb06122750974d3f80e2ea3c465aab1acc23
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
Attributes
-
build_id
15
rc4.plain
rsa_pubkey.plain
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yncaory = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Xudar\\kuel.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4192 set thread context of 3084 4192 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3084 msiexec.exe Token: SeSecurityPrivilege 3084 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 876 wrote to memory of 4192 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 4192 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 4192 876 rundll32.exe rundll32.exe PID 4192 wrote to memory of 3084 4192 rundll32.exe msiexec.exe PID 4192 wrote to memory of 3084 4192 rundll32.exe msiexec.exe PID 4192 wrote to memory of 3084 4192 rundll32.exe msiexec.exe PID 4192 wrote to memory of 3084 4192 rundll32.exe msiexec.exe PID 4192 wrote to memory of 3084 4192 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbeba2fb33aaba42768a5ed8055cc8ca4009ad1921319f90c78b78d4f0dd9f7b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbeba2fb33aaba42768a5ed8055cc8ca4009ad1921319f90c78b78d4f0dd9f7b.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3084-134-0x0000000000000000-mapping.dmp
-
memory/3084-135-0x0000000000D30000-0x0000000000D5B000-memory.dmpFilesize
172KB
-
memory/3084-136-0x0000000000D30000-0x0000000000D5B000-memory.dmpFilesize
172KB
-
memory/4192-130-0x0000000000000000-mapping.dmp
-
memory/4192-131-0x0000000075030000-0x000000007505B000-memory.dmpFilesize
172KB
-
memory/4192-132-0x0000000075030000-0x00000000750B0000-memory.dmpFilesize
512KB
-
memory/4192-133-0x0000000075030000-0x00000000750B0000-memory.dmpFilesize
512KB