Analysis Overview
SHA256
6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f
Threat Level: Known bad
The file 6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Zbot POST Request to C2
Zloader, Terdot, DELoader, ZeusSphinx
Blocklisted process makes network request
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-20 03:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-20 03:52
Reported
2022-05-20 04:07
Platform
win7-20220414-en
Max time kernel
184s
Max time network
191s
Command Line
Signatures
Zloader, Terdot, DELoader, ZeusSphinx
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 996 set thread context of 1172 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wmwifbajxxbcxmucxmlc.com | udp |
| US | 13.87.185.199:80 | wmwifbajxxbcxmucxmlc.com | tcp |
| US | 8.8.8.8:53 | ojnxjgfjlftfkkuxxiqd.com | udp |
| US | 20.114.17.1:80 | ojnxjgfjlftfkkuxxiqd.com | tcp |
Files
memory/996-54-0x0000000000000000-mapping.dmp
memory/996-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp
memory/996-57-0x0000000075500000-0x0000000075583000-memory.dmp
memory/996-56-0x0000000075500000-0x0000000075534000-memory.dmp
memory/996-58-0x0000000075500000-0x0000000075583000-memory.dmp
memory/1172-59-0x0000000000090000-0x00000000000C4000-memory.dmp
memory/1172-61-0x0000000000090000-0x00000000000C4000-memory.dmp
memory/1172-62-0x0000000000000000-mapping.dmp
memory/1172-64-0x0000000000090000-0x00000000000C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-20 03:52
Reported
2022-05-20 04:07
Platform
win10v2004-20220414-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Zloader, Terdot, DELoader, ZeusSphinx
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Zbot POST Request to C2
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 876 set thread context of 728 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3928 wrote to memory of 876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3928 wrote to memory of 876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3928 wrote to memory of 876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 728 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 876 wrote to memory of 728 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 876 wrote to memory of 728 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 876 wrote to memory of 728 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 876 wrote to memory of 728 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ffa4cfa0466047e7a320dd9aa57417d14dd9a185306fdecc9a79352d88a682f.dll,#1
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.6:443 | tcp | |
| CH | 173.222.108.226:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| US | 8.8.8.8:53 | wmwifbajxxbcxmucxmlc.com | udp |
| US | 13.87.185.199:80 | wmwifbajxxbcxmucxmlc.com | tcp |
| US | 8.8.8.8:53 | ojnxjgfjlftfkkuxxiqd.com | udp |
| US | 20.114.17.1:80 | ojnxjgfjlftfkkuxxiqd.com | tcp |
| US | 8.8.8.8:53 | pwkqhdgytsshkoibaake.com | udp |
| US | 206.191.152.37:80 | pwkqhdgytsshkoibaake.com | tcp |
| US | 8.8.8.8:53 | snnmnkxdhflwgthqismb.com | udp |
| US | 199.21.76.77:80 | snnmnkxdhflwgthqismb.com | tcp |
| US | 8.8.8.8:53 | iawfqecrwohcxnhwtofa.com | udp |
| US | 206.191.152.58:80 | iawfqecrwohcxnhwtofa.com | tcp |
| US | 8.8.8.8:53 | nlbmfsyplohyaicmxhum.com | udp |
| US | 206.191.152.37:80 | nlbmfsyplohyaicmxhum.com | tcp |
| US | 8.8.8.8:53 | fvqlkgedqjiqgapudkgq.com | udp |
| US | 199.21.76.77:80 | fvqlkgedqjiqgapudkgq.com | tcp |
| US | 8.8.8.8:53 | cmmxhurildiigqghlryq.com | udp |
| SG | 63.251.126.10:80 | cmmxhurildiigqghlryq.com | tcp |
| US | 8.8.8.8:53 | nmqsmbiabjdnuushksas.com | udp |
| US | 199.21.76.81:80 | nmqsmbiabjdnuushksas.com | tcp |
| US | 8.8.8.8:53 | fyratyubvflktyyjiqgq.com | udp |
| US | 107.6.74.76:80 | fyratyubvflktyyjiqgq.com | tcp |
| US | 107.6.74.76:80 | fyratyubvflktyyjiqgq.com | tcp |
Files
memory/876-130-0x0000000000000000-mapping.dmp
memory/876-132-0x0000000075180000-0x0000000075203000-memory.dmp
memory/876-131-0x0000000075180000-0x00000000751B4000-memory.dmp
memory/876-133-0x0000000075180000-0x0000000075203000-memory.dmp
memory/728-134-0x0000000000000000-mapping.dmp
memory/728-135-0x0000000000510000-0x0000000000544000-memory.dmp
memory/728-136-0x0000000000510000-0x0000000000544000-memory.dmp