Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 02:52
Static task
static1
Behavioral task
behavioral1
Sample
2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2.dll
Resource
win7-20220414-en
General
-
Target
2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2.dll
-
Size
375KB
-
MD5
6947ee4228ab808e9c91d9d6cd7f6f21
-
SHA1
006fee40df6b2908d5a6a945fd47ddfe2f32f533
-
SHA256
2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2
-
SHA512
f8c9618ad79a6b0ac574f59e6d06b8e56b037bd5f388122acc66928e2db913e1630fcd3f92078e53913fab71aaa680968c20be0ecc0f0375fc93a373280b6e8c
Malware Config
Extracted
zloader
CASPAM
CASPAM
http://marchadvertisingnetwork4.com/post.php
http://marchadvertisingnetwork5.com/post.php
http://marchadvertisingnetwork6.com/post.php
http://marchadvertisingnetwork7.com/post.php
http://marchadvertisingnetwork8.com/post.php
http://marchadvertisingnetwork9.com/post.php
http://marchadvertisingnetwork10.com/post.php
-
build_id
24
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 38 4560 msiexec.exe 39 4560 msiexec.exe 40 4560 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Byyz = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Ecci\\ekys.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1456 set thread context of 4560 1456 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 4560 msiexec.exe Token: SeSecurityPrivilege 4560 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4284 wrote to memory of 1456 4284 rundll32.exe rundll32.exe PID 4284 wrote to memory of 1456 4284 rundll32.exe rundll32.exe PID 4284 wrote to memory of 1456 4284 rundll32.exe rundll32.exe PID 1456 wrote to memory of 4560 1456 rundll32.exe msiexec.exe PID 1456 wrote to memory of 4560 1456 rundll32.exe msiexec.exe PID 1456 wrote to memory of 4560 1456 rundll32.exe msiexec.exe PID 1456 wrote to memory of 4560 1456 rundll32.exe msiexec.exe PID 1456 wrote to memory of 4560 1456 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2558251e3f8705e621bf2749648c77dce391f3cc870aac9a6fd7119ce79103a2.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1456-130-0x0000000000000000-mapping.dmp
-
memory/1456-132-0x00000000754D0000-0x000000007554D000-memory.dmpFilesize
500KB
-
memory/1456-131-0x00000000754D0000-0x0000000075500000-memory.dmpFilesize
192KB
-
memory/1456-133-0x00000000754D0000-0x000000007554D000-memory.dmpFilesize
500KB
-
memory/1456-136-0x00000000754D0000-0x000000007554D000-memory.dmpFilesize
500KB
-
memory/4560-134-0x0000000000000000-mapping.dmp
-
memory/4560-135-0x0000000000770000-0x00000000007A0000-memory.dmpFilesize
192KB
-
memory/4560-137-0x0000000000770000-0x00000000007A0000-memory.dmpFilesize
192KB
-
memory/4560-138-0x0000000000770000-0x00000000007A0000-memory.dmpFilesize
192KB