Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-12-2022 13:26
Static task
static1
Behavioral task
behavioral1
Sample
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
Resource
win10-20220901-en
General
-
Target
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
-
Size
345KB
-
MD5
adba2ac8f027946da258155b140c068a
-
SHA1
91b1dceb17403910d7aa9bee1029f11153accff4
-
SHA256
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279
-
SHA512
356865ecaf00b10af50ec1f7ffdcc89249e1eaf2a1648c970393d7c66359e578ce9d6987f66dc49cb769e36e8ea62c4ff17d6b173bc793b61fa81e11e619229f
-
SSDEEP
6144:q9xZILKtmfbcPK2U6gRURSxE8efnQe+R+FNHmZ04aR31cdpN0V:q9xZIL1bcPRUrURAOn8gTGCPMwV
Malware Config
Extracted
zloader
nut
16/02
https://wewalk.cl/post.php
https://dpack-co.com/post.php
https://dr-mirahmadi.ir/post.php
https://indiaastrologyfoundation.in/post.php
https://metisacademy.ir/post.php
https://lan-samarinda.com/post.php
https://pyouleigorgawimbwans.tk/post.php
-
build_id
351
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 7 1276 msiexec.exe 9 1276 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1992 set thread context of 1276 1992 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1276 msiexec.exe Token: SeSecurityPrivilege 1276 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1724 wrote to memory of 1992 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1992 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1992 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1992 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1992 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1992 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1992 1724 rundll32.exe rundll32.exe PID 1992 wrote to memory of 1276 1992 rundll32.exe msiexec.exe PID 1992 wrote to memory of 1276 1992 rundll32.exe msiexec.exe PID 1992 wrote to memory of 1276 1992 rundll32.exe msiexec.exe PID 1992 wrote to memory of 1276 1992 rundll32.exe msiexec.exe PID 1992 wrote to memory of 1276 1992 rundll32.exe msiexec.exe PID 1992 wrote to memory of 1276 1992 rundll32.exe msiexec.exe PID 1992 wrote to memory of 1276 1992 rundll32.exe msiexec.exe PID 1992 wrote to memory of 1276 1992 rundll32.exe msiexec.exe PID 1992 wrote to memory of 1276 1992 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1276-59-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1276-61-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1276-62-0x0000000000000000-mapping.dmp
-
memory/1276-65-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1276-66-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1992-54-0x0000000000000000-mapping.dmp
-
memory/1992-55-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/1992-57-0x0000000074C80000-0x0000000074D35000-memory.dmpFilesize
724KB
-
memory/1992-56-0x0000000074C80000-0x0000000074CA9000-memory.dmpFilesize
164KB
-
memory/1992-58-0x0000000074C80000-0x0000000074D35000-memory.dmpFilesize
724KB
-
memory/1992-63-0x0000000074C80000-0x0000000074D35000-memory.dmpFilesize
724KB