Analysis
-
max time kernel
88s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 13:26
Static task
static1
Behavioral task
behavioral1
Sample
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
Resource
win10-20220901-en
General
-
Target
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
-
Size
345KB
-
MD5
adba2ac8f027946da258155b140c068a
-
SHA1
91b1dceb17403910d7aa9bee1029f11153accff4
-
SHA256
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279
-
SHA512
356865ecaf00b10af50ec1f7ffdcc89249e1eaf2a1648c970393d7c66359e578ce9d6987f66dc49cb769e36e8ea62c4ff17d6b173bc793b61fa81e11e619229f
-
SSDEEP
6144:q9xZILKtmfbcPK2U6gRURSxE8efnQe+R+FNHmZ04aR31cdpN0V:q9xZIL1bcPRUrURAOn8gTGCPMwV
Malware Config
Extracted
zloader
nut
16/02
https://wewalk.cl/post.php
https://dpack-co.com/post.php
https://dr-mirahmadi.ir/post.php
https://indiaastrologyfoundation.in/post.php
https://metisacademy.ir/post.php
https://lan-samarinda.com/post.php
https://pyouleigorgawimbwans.tk/post.php
-
build_id
351
Signatures
-
Blocklisted process makes network request 27 IoCs
Processes:
msiexec.exeflow pid process 17 2444 msiexec.exe 19 2444 msiexec.exe 48 2444 msiexec.exe 49 2444 msiexec.exe 50 2444 msiexec.exe 51 2444 msiexec.exe 52 2444 msiexec.exe 53 2444 msiexec.exe 56 2444 msiexec.exe 57 2444 msiexec.exe 58 2444 msiexec.exe 59 2444 msiexec.exe 60 2444 msiexec.exe 61 2444 msiexec.exe 62 2444 msiexec.exe 63 2444 msiexec.exe 64 2444 msiexec.exe 65 2444 msiexec.exe 66 2444 msiexec.exe 67 2444 msiexec.exe 69 2444 msiexec.exe 70 2444 msiexec.exe 71 2444 msiexec.exe 72 2444 msiexec.exe 73 2444 msiexec.exe 74 2444 msiexec.exe 76 2444 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1272 set thread context of 2444 1272 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2444 msiexec.exe Token: SeSecurityPrivilege 2444 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1080 wrote to memory of 1272 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1272 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1272 1080 rundll32.exe rundll32.exe PID 1272 wrote to memory of 2444 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 2444 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 2444 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 2444 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 2444 1272 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1272-132-0x0000000000000000-mapping.dmp
-
memory/1272-134-0x0000000075500000-0x00000000755B5000-memory.dmpFilesize
724KB
-
memory/1272-133-0x0000000075500000-0x0000000075529000-memory.dmpFilesize
164KB
-
memory/1272-135-0x0000000075500000-0x00000000755B5000-memory.dmpFilesize
724KB
-
memory/1272-138-0x0000000075500000-0x00000000755B5000-memory.dmpFilesize
724KB
-
memory/2444-136-0x0000000000000000-mapping.dmp
-
memory/2444-137-0x0000000000DC0000-0x0000000000DE9000-memory.dmpFilesize
164KB
-
memory/2444-139-0x0000000000DC0000-0x0000000000DE9000-memory.dmpFilesize
164KB
-
memory/2444-140-0x0000000000DC0000-0x0000000000DE9000-memory.dmpFilesize
164KB