Analysis
-
max time kernel
153s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 14:19
Static task
static1
Behavioral task
behavioral1
Sample
830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll
Resource
win7-20221111-en
General
-
Target
830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll
-
Size
493KB
-
MD5
efddc2807ecbdffd694cd97936404053
-
SHA1
c68b7b94e591fbc4cda9bdb8c2caaa33880464c7
-
SHA256
830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46
-
SHA512
e6b0fd0f52c5b7e82bb66d08c4a3f8a4bddf1ce75c140e73afb4c1f57131df81e5d39f7833de15b40e980f0605bfd1840f81b610134634db000f6e18388bf09a
-
SSDEEP
12288:WsCr6MfAEtHaqxnXmtkl0CMh+1wY7JuegO4I9y:Wsi6MBtHBzlRMg1wY34I9y
Malware Config
Extracted
zloader
nut
18/02
https://ramkanshop.ir/post.php
https://lph786.com/post.php
https://efaschoolfarooka.com/post.php
https://forexstick.com/post.php
https://firteccom.com/post.php
https://www.psychologynewmind.com/post.php
https://dirashightapbide.tk/post.php
-
build_id
358
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2040 set thread context of 2036 2040 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2036 msiexec.exe Token: SeSecurityPrivilege 2036 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2032 wrote to memory of 2040 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2040 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2040 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2040 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2040 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2040 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2040 2032 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2036 2040 rundll32.exe msiexec.exe PID 2040 wrote to memory of 2036 2040 rundll32.exe msiexec.exe PID 2040 wrote to memory of 2036 2040 rundll32.exe msiexec.exe PID 2040 wrote to memory of 2036 2040 rundll32.exe msiexec.exe PID 2040 wrote to memory of 2036 2040 rundll32.exe msiexec.exe PID 2040 wrote to memory of 2036 2040 rundll32.exe msiexec.exe PID 2040 wrote to memory of 2036 2040 rundll32.exe msiexec.exe PID 2040 wrote to memory of 2036 2040 rundll32.exe msiexec.exe PID 2040 wrote to memory of 2036 2040 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2036-59-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/2036-61-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/2036-62-0x0000000000000000-mapping.dmp
-
memory/2036-65-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/2036-66-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/2040-54-0x0000000000000000-mapping.dmp
-
memory/2040-55-0x0000000075991000-0x0000000075993000-memory.dmpFilesize
8KB
-
memory/2040-57-0x0000000074600000-0x00000000746DD000-memory.dmpFilesize
884KB
-
memory/2040-56-0x0000000074600000-0x0000000074629000-memory.dmpFilesize
164KB
-
memory/2040-58-0x0000000074600000-0x00000000746DD000-memory.dmpFilesize
884KB
-
memory/2040-63-0x0000000074600000-0x00000000746DD000-memory.dmpFilesize
884KB