Analysis
-
max time kernel
1683s -
max time network
1701s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
favicon.dll
Resource
win7-20231020-en
windows7-x64
7 signatures
1800 seconds
General
-
Target
favicon.dll
-
Size
646KB
-
MD5
1d700b208c65ca26efe5fa4be4749569
-
SHA1
3deeff224b359ca2b28a841a116b84b783206adc
-
SHA256
f97954d9c80dbfee223fb704863c5a156912f450eee2d0510af6301dfd919f09
-
SHA512
8c5bcbdf35f4e3ad1177d98b0944b1ec9f407a7bd537af5ecd8e5aad37a67c4c46748bfbe165b4edb6348324e4b97d26a6e1af0007f458c3f697a6757cb05d92
-
SSDEEP
12288:A1Xiy+UrnWHWzB2nWSgg6Uyan4jN3PMLYHBlIfNGwOF4IurIU+ls:JlUKQgWfg6qkHMOF8IU
Malware Config
Extracted
Family
zloader
Botnet
mk1
Campaign
mac2
C2
https://dssdffsdf.drld/mm.php
Attributes
-
build_id
43
rc4.plain
rsa_pubkey.plain
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1328 created 3132 1328 rundll32.exe 43 -
Blocklisted process makes network request 3 IoCs
flow pid Process 92 184 msiexec.exe 95 184 msiexec.exe 97 184 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1328 set thread context of 184 1328 rundll32.exe 109 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1328 rundll32.exe 1328 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1328 rundll32.exe Token: SeSecurityPrivilege 184 msiexec.exe Token: SeSecurityPrivilege 184 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1328 2312 rundll32.exe 88 PID 2312 wrote to memory of 1328 2312 rundll32.exe 88 PID 2312 wrote to memory of 1328 2312 rundll32.exe 88 PID 1328 wrote to memory of 184 1328 rundll32.exe 109 PID 1328 wrote to memory of 184 1328 rundll32.exe 109 PID 1328 wrote to memory of 184 1328 rundll32.exe 109 PID 1328 wrote to memory of 184 1328 rundll32.exe 109 PID 1328 wrote to memory of 184 1328 rundll32.exe 109
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3132
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\favicon.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\favicon.dll,#13⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
-
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:184
-