Analysis
-
max time kernel
510s -
max time network
513s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2022 06:35
Behavioral task
behavioral1
Sample
66f49a261b6086dfdd1c3e2a21f7cb746aa35707490cbd64693d66383ba54c64.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
66f49a261b6086dfdd1c3e2a21f7cb746aa35707490cbd64693d66383ba54c64.dll
Resource
win10v2004-20220812-en
General
-
Target
66f49a261b6086dfdd1c3e2a21f7cb746aa35707490cbd64693d66383ba54c64.dll
-
Size
128KB
-
MD5
33d2581d7d36acde729ce52c5d106d79
-
SHA1
48b9cbe0f6922d6c844ab7b7122bc0cd389bf711
-
SHA256
66f49a261b6086dfdd1c3e2a21f7cb746aa35707490cbd64693d66383ba54c64
-
SHA512
75acc63cb9c38c0dd3d1759c93f38fc41e62b8853146267b6d80c7b979cf9bf281d3bd44519f1f6a9085d161a4a3d5abc5c71702c914382645e55af3fd6c8770
-
SSDEEP
3072:f9r5C53D8cD2blVIevrYc/vdDwfYX8D5/x6tT8Wfgpwylb:ft5C53D8ckM6sDW5g6yl
Malware Config
Extracted
zloader
04/02
https://brewaz.club/milagrecf.php
https://buhjike.host/milagrecf.php
-
build_id
49
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
msiexec.exeflow pid process 36 1424 msiexec.exe 37 1424 msiexec.exe 38 1424 msiexec.exe 39 1424 msiexec.exe 40 1424 msiexec.exe 47 1424 msiexec.exe 48 1424 msiexec.exe 49 1424 msiexec.exe 51 1424 msiexec.exe 52 1424 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Efeg = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Hydoco\\fobua.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4968 set thread context of 1424 4968 regsvr32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1424 msiexec.exe Token: SeSecurityPrivilege 1424 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 4744 wrote to memory of 4968 4744 regsvr32.exe regsvr32.exe PID 4744 wrote to memory of 4968 4744 regsvr32.exe regsvr32.exe PID 4744 wrote to memory of 4968 4744 regsvr32.exe regsvr32.exe PID 4968 wrote to memory of 1424 4968 regsvr32.exe msiexec.exe PID 4968 wrote to memory of 1424 4968 regsvr32.exe msiexec.exe PID 4968 wrote to memory of 1424 4968 regsvr32.exe msiexec.exe PID 4968 wrote to memory of 1424 4968 regsvr32.exe msiexec.exe PID 4968 wrote to memory of 1424 4968 regsvr32.exe msiexec.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\66f49a261b6086dfdd1c3e2a21f7cb746aa35707490cbd64693d66383ba54c64.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\66f49a261b6086dfdd1c3e2a21f7cb746aa35707490cbd64693d66383ba54c64.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1424-133-0x0000000000000000-mapping.dmp
-
memory/1424-134-0x0000000000700000-0x0000000000725000-memory.dmpFilesize
148KB
-
memory/1424-135-0x0000000000700000-0x0000000000725000-memory.dmpFilesize
148KB
-
memory/1424-136-0x0000000000700000-0x0000000000725000-memory.dmpFilesize
148KB
-
memory/4968-132-0x0000000000000000-mapping.dmp