Analysis
-
max time kernel
500s -
max time network
503s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2022 06:35
Static task
static1
Behavioral task
behavioral1
Sample
0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1.dll
Resource
win10v2004-20220812-en
General
-
Target
0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1.dll
-
Size
422KB
-
MD5
f55920966b4970588ce643af0fcc03a7
-
SHA1
97c44c58f24358442cb1811a7694e5b395e82d61
-
SHA256
0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1
-
SHA512
b5e6f91e65eacd6c1ad5f563f0d9184fd21fb88848008c7ea568d7c40c63fcbf217eeee2830a521313a3152e538821a469630fe951e760405972afae8516023e
-
SSDEEP
12288:yClc4hq+Ytl63+YzGKBTpJHtvgqYe7S9S:Tlc4kBl6OabpFtGgS0
Malware Config
Extracted
zloader
-
build_id
49
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 33 2268 msiexec.exe 34 2268 msiexec.exe 36 2268 msiexec.exe 37 2268 msiexec.exe 38 2268 msiexec.exe 45 2268 msiexec.exe 46 2268 msiexec.exe 47 2268 msiexec.exe 48 2268 msiexec.exe 49 2268 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uhgaif = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Cedueb\\duicah.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4968 set thread context of 2268 4968 rundll32.exe 90 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2268 msiexec.exe Token: SeSecurityPrivilege 2268 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5028 wrote to memory of 4968 5028 rundll32.exe 82 PID 5028 wrote to memory of 4968 5028 rundll32.exe 82 PID 5028 wrote to memory of 4968 5028 rundll32.exe 82 PID 4968 wrote to memory of 2268 4968 rundll32.exe 90 PID 4968 wrote to memory of 2268 4968 rundll32.exe 90 PID 4968 wrote to memory of 2268 4968 rundll32.exe 90 PID 4968 wrote to memory of 2268 4968 rundll32.exe 90 PID 4968 wrote to memory of 2268 4968 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-