Analysis
-
max time kernel
124s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 16:32
Static task
static1
Behavioral task
behavioral1
Sample
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
Resource
win7-20220812-en
General
-
Target
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
-
Size
345KB
-
MD5
adba2ac8f027946da258155b140c068a
-
SHA1
91b1dceb17403910d7aa9bee1029f11153accff4
-
SHA256
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279
-
SHA512
356865ecaf00b10af50ec1f7ffdcc89249e1eaf2a1648c970393d7c66359e578ce9d6987f66dc49cb769e36e8ea62c4ff17d6b173bc793b61fa81e11e619229f
-
SSDEEP
6144:q9xZILKtmfbcPK2U6gRURSxE8efnQe+R+FNHmZ04aR31cdpN0V:q9xZIL1bcPRUrURAOn8gTGCPMwV
Malware Config
Extracted
zloader
nut
16/02
https://wewalk.cl/post.php
https://dpack-co.com/post.php
https://dr-mirahmadi.ir/post.php
https://indiaastrologyfoundation.in/post.php
https://metisacademy.ir/post.php
https://lan-samarinda.com/post.php
https://pyouleigorgawimbwans.tk/post.php
-
build_id
351
Signatures
-
Blocklisted process makes network request 27 IoCs
Processes:
msiexec.exeflow pid process 44 2744 msiexec.exe 46 2744 msiexec.exe 56 2744 msiexec.exe 57 2744 msiexec.exe 58 2744 msiexec.exe 59 2744 msiexec.exe 60 2744 msiexec.exe 61 2744 msiexec.exe 62 2744 msiexec.exe 63 2744 msiexec.exe 64 2744 msiexec.exe 65 2744 msiexec.exe 66 2744 msiexec.exe 67 2744 msiexec.exe 68 2744 msiexec.exe 69 2744 msiexec.exe 70 2744 msiexec.exe 71 2744 msiexec.exe 72 2744 msiexec.exe 73 2744 msiexec.exe 75 2744 msiexec.exe 76 2744 msiexec.exe 77 2744 msiexec.exe 78 2744 msiexec.exe 79 2744 msiexec.exe 80 2744 msiexec.exe 82 2744 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3256 set thread context of 2744 3256 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2744 msiexec.exe Token: SeSecurityPrivilege 2744 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4440 wrote to memory of 3256 4440 rundll32.exe rundll32.exe PID 4440 wrote to memory of 3256 4440 rundll32.exe rundll32.exe PID 4440 wrote to memory of 3256 4440 rundll32.exe rundll32.exe PID 3256 wrote to memory of 2744 3256 rundll32.exe msiexec.exe PID 3256 wrote to memory of 2744 3256 rundll32.exe msiexec.exe PID 3256 wrote to memory of 2744 3256 rundll32.exe msiexec.exe PID 3256 wrote to memory of 2744 3256 rundll32.exe msiexec.exe PID 3256 wrote to memory of 2744 3256 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2744-136-0x0000000000000000-mapping.dmp
-
memory/2744-137-0x0000000000780000-0x00000000007A9000-memory.dmpFilesize
164KB
-
memory/2744-139-0x0000000000780000-0x00000000007A9000-memory.dmpFilesize
164KB
-
memory/2744-140-0x0000000000780000-0x00000000007A9000-memory.dmpFilesize
164KB
-
memory/3256-132-0x0000000000000000-mapping.dmp
-
memory/3256-134-0x00000000755A0000-0x0000000075655000-memory.dmpFilesize
724KB
-
memory/3256-133-0x00000000755A0000-0x00000000755C9000-memory.dmpFilesize
164KB
-
memory/3256-135-0x00000000755A0000-0x0000000075655000-memory.dmpFilesize
724KB
-
memory/3256-138-0x00000000755A0000-0x0000000075655000-memory.dmpFilesize
724KB