Overview

overview

10

Static

static

tfR5r4pw.dll

windows7_x64

10

tfR5r4pw.dll

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    02-07-2020 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tfR5r4pw.dll

  • Size

    634KB

  • MD5

    004d3ff1fe0ec1d0a90913f1238f293f

  • SHA1

    fe3a1f35f5c21ce72a1ef05cbf2824a51827a5f2

  • SHA256

    3dd800b875aa0ef2fa0923babdd4b162555a1c3ff3c58e9291d45fff82389816

  • SHA512

    d8ad97df2d05d9ab88ed3e96e2e7c24efb57ec090737943f52548b1c39e2de9eaf270e20baa0728a31ffdc8745444abf18c07dbca4cce3f3a553c0709d8693ea

Score
10/10
trojanbotnetzloader

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader
  • ServiceHost packer 1 IoCs

    Detects ServiceHost packer used for .NET malware

  • Blacklisted process makes network request 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3024
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\tfR5r4pw.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:640
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\tfR5r4pw.dll,#1
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:796
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 596
            4⤵
            • Suspicious use of NtCreateProcessExOtherParentProcess
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3904
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe
        2⤵
        • Blacklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:2800

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/796-0-0x0000000000000000-mapping.dmp
      Download
    • memory/796-4-0x0000000000000000-mapping.dmp
      Download
    • memory/2800-1-0x0000000003240000-0x000000000326C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/2800-2-0x0000000000000000-mapping.dmp
      Download
    • memory/3904-3-0x0000000004E60000-0x0000000004E61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3904-5-0x0000000005820000-0x0000000005821000-memory.dmp
      Filesize

      4KB

      Download