Analysis
-
max time kernel
545s -
max time network
547s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-10-2022 06:35
Behavioral task
behavioral1
Sample
0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1_unpacked.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1_unpacked.dll
Resource
win10v2004-20220901-en
General
-
Target
0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1_unpacked.dll
-
Size
156KB
-
MD5
d9260a4b6dbbd14005070ea871f4cfd2
-
SHA1
456ce2295431e297036bf9f185b6a80d1866f849
-
SHA256
d010b0b5bff25d4cc9b65d8f24e4ae5b596804d4c60c506e993d312323a881bb
-
SHA512
43ba2387df4cae14d3b696d9ac23977e32eadd30dff24b862fc9dcc33d9b73bdfba40d6363b8906627454cbc76635720c64b35d7bbeecf27ba71673c62957fbe
-
SSDEEP
3072:EcuwpCTxFeqTqLtg2l3z1TR9lPl4Bq89CP9qCL3qZnd2+gvcYwl6:tuwpCTxFIljz9lPCBq8jaL
Malware Config
Extracted
zloader
-
build_id
49
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 5 1948 msiexec.exe 6 1948 msiexec.exe 7 1948 msiexec.exe 8 1948 msiexec.exe 9 1948 msiexec.exe 13 1948 msiexec.exe 14 1948 msiexec.exe 15 1948 msiexec.exe 16 1948 msiexec.exe 17 1948 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fydueh = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Hohuo\\fegud.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1812 set thread context of 1948 1812 regsvr32.exe 27 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 1948 msiexec.exe Token: SeSecurityPrivilege 1948 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 364 wrote to memory of 1812 364 regsvr32.exe 26 PID 364 wrote to memory of 1812 364 regsvr32.exe 26 PID 364 wrote to memory of 1812 364 regsvr32.exe 26 PID 364 wrote to memory of 1812 364 regsvr32.exe 26 PID 364 wrote to memory of 1812 364 regsvr32.exe 26 PID 364 wrote to memory of 1812 364 regsvr32.exe 26 PID 364 wrote to memory of 1812 364 regsvr32.exe 26 PID 1812 wrote to memory of 1948 1812 regsvr32.exe 27 PID 1812 wrote to memory of 1948 1812 regsvr32.exe 27 PID 1812 wrote to memory of 1948 1812 regsvr32.exe 27 PID 1812 wrote to memory of 1948 1812 regsvr32.exe 27 PID 1812 wrote to memory of 1948 1812 regsvr32.exe 27 PID 1812 wrote to memory of 1948 1812 regsvr32.exe 27 PID 1812 wrote to memory of 1948 1812 regsvr32.exe 27 PID 1812 wrote to memory of 1948 1812 regsvr32.exe 27 PID 1812 wrote to memory of 1948 1812 regsvr32.exe 27
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1_unpacked.dll1⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0d533321292f6854d7f9705a738d58ee5941c93b52674681083ec5c21a987ab1_unpacked.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-