Resubmissions
31-01-2024 21:42
240131-1ktpsadab6 1024-01-2024 07:47
240124-jml92sdcd6 1023-01-2024 11:54
240123-n25r6ahhfk 1024-06-2020 13:36
200624-enc457kzrj 10Analysis
-
max time kernel
7s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 21:42
Static task
static1
Behavioral task
behavioral1
Sample
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
Resource
win10v2004-20231215-en
General
-
Target
A004BC8B4F3DB1EF5A66579B9746B5B1.dll
-
Size
424KB
-
MD5
a004bc8b4f3db1ef5a66579b9746b5b1
-
SHA1
88a5fcebfd7a037a9ca9573772ac2334a61b25de
-
SHA256
42bb5eae534eb2cea979c300b797a65febf291b28aea0b9d8bbea7d0a41bffa2
-
SHA512
28aed111b2ecea90c2da03871f36272b8680d392c245fdf0e2f4d4454974a3a51d6744133cecfc2576bbc778742f9b824e8355026b53d029d13ff79bb2136f9b
-
SSDEEP
6144:kQ0fpRug1NzpAhY2Zgi1ny2YT2oqCesyc+V6pDDW3FdREH5gH+xWz1:kQ0Rsg58Yti9y2voysiVmO3BlH+W
Malware Config
Extracted
zloader
June18newret
June
http://snnmnkxdhflwgthqismb.com/web/post.php
http://nlbmfsyplohyaicmxhum.com/web/post.php
http://softwareserviceupdater1.com/web/post.php
http://softwareserviceupdater2.com/web/post.php
-
build_id
3
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2220 chrome.exe 2220 chrome.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 2220 chrome.exe Token: SeShutdownPrivilege 2220 chrome.exe Token: SeShutdownPrivilege 2220 chrome.exe Token: SeShutdownPrivilege 2220 chrome.exe Token: SeShutdownPrivilege 2220 chrome.exe Token: SeShutdownPrivilege 2220 chrome.exe Token: SeShutdownPrivilege 2220 chrome.exe Token: SeShutdownPrivilege 2220 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe 2220 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2968 2464 rundll32.exe 28 PID 2464 wrote to memory of 2968 2464 rundll32.exe 28 PID 2464 wrote to memory of 2968 2464 rundll32.exe 28 PID 2464 wrote to memory of 2968 2464 rundll32.exe 28 PID 2464 wrote to memory of 2968 2464 rundll32.exe 28 PID 2464 wrote to memory of 2968 2464 rundll32.exe 28 PID 2464 wrote to memory of 2968 2464 rundll32.exe 28 PID 2220 wrote to memory of 1684 2220 chrome.exe 30 PID 2220 wrote to memory of 1684 2220 chrome.exe 30 PID 2220 wrote to memory of 1684 2220 chrome.exe 30 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 2704 2220 chrome.exe 32 PID 2220 wrote to memory of 840 2220 chrome.exe 34 PID 2220 wrote to memory of 840 2220 chrome.exe 34 PID 2220 wrote to memory of 840 2220 chrome.exe 34 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33 PID 2220 wrote to memory of 2820 2220 chrome.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.dll,#12⤵PID:2968
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵PID:2596
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6799758,0x7fef6799768,0x7fef67997782⤵PID:1684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:22⤵PID:2704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:82⤵PID:2820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:82⤵PID:840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:12⤵PID:2912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:12⤵PID:2828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:22⤵PID:1468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3272 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:12⤵PID:2192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3644 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:82⤵PID:3004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3532 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:82⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3552 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:12⤵PID:432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3896 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:12⤵PID:1192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3852 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:12⤵PID:2612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3924 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:82⤵PID:2636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=1376,i,14609520333016615241,7501977442914536008,131072 /prefetch:82⤵PID:1560
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:524
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2996
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5841⤵PID:2192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e3598c31d5b657aba28a0f4c49e5b57f
SHA1e3bf59c70ae2eb1762ac6e2520f79c6b85f77e9e
SHA2566e0dddfe02155c6425a5cce606bc9f8d7f699c534d12dfc73375eea2d190db1c
SHA5125dc98875f1ee99730847bba7f92ee92b241670cf391849d0be3c902e82a1b235ab9e0862556509a03c24860d71b999fc844b92cbc8b7eeb76a8cccdcf93024da
-
Filesize
519B
MD50bc6efdf82ea95b429ead216e3b48069
SHA1de04b2b8961098f9b7ccb561166ecf66656dc012
SHA256680db9549cbc8a2fcac5d677fc748810225be0ca3f30e985de50e9c97d4bbd99
SHA512b97c34c3b1366a6089343e55e19f172ae1d31ddbe651be28348560372cb4a93916393f39f6aaf568886f0d6dffe3d52ff3a3682e7f29b25a3ab90ee1b9188fb5
-
Filesize
521B
MD527fba5989733a365e07ad13229ed8c18
SHA1f3d31a828b35293723086579bd3c1bb396ba49b3
SHA2567a1d1ee6b618da3c23263cc4745f4bdf121718c888d2869d4a931ec140d710ec
SHA512f3154e60ed68e373618ce17ff308a898074fc6fcae4bfeb7267d2aaabe42bd3df62567d467be5fd94a6722b5cbc6fe3dcbc2d48ba6fffa7fd6509b7c83d8d60c
-
Filesize
4KB
MD5df2096618ef7a6194f21a550a3bb92ac
SHA165639caaa1ead62abac056dc92c1567942e1055d
SHA2568c6fa9c40e7bf767aee03c04830bba13fa44c3f20d506e649a8c5f6103e6ffdd
SHA512c0727135924c89f1555b06f3e114487f11e65de4cd2427fa5effd2b69c4d2a269abb47757564f4d18ee593542aa5d68844447018baea7d2d30043066b2cf9e6e
-
Filesize
5KB
MD5bf251ccc727a073fb64aa12ea2835854
SHA171d572fdd0660b831d9c2d4e96d6c1b8508cf69b
SHA25696af7c724996f72da346f1d65ec3aaa50311d5e53f384ffffbdad9a2e47addbd
SHA5129de45a1aabeed04552c7af0083c1bb311ef65342338cae5e40b212ac0306042b2dd07799d2a7d47dc2c1ecc1909d2b0fe7e1ac10d130a841a53d0a7ab7e363f0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d802ccc5-6766-43e5-be79-c7cb882325ef.tmp
Filesize5KB
MD519da75138cff51a6b3d60c129b308a2e
SHA18fa184417367a1556f3024ca209a2c7c3d6a0d40
SHA25690e53c0ce0bb3d3e079fb4a9b0a85936852642c7a069e17618c4ea137eb7bc84
SHA5125ac4dad21f81d1cdff58e19392cf5841f6058980404b84538d44b125114854b74843212f79500ea322d1eeaf5d9d4ba8645c4f632acff40eb3119cec6810cba0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58