Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
31-10-2020 09:13
Static task
static1
Behavioral task
behavioral1
Sample
Exampleth.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
Exampleth.dll
-
Size
452KB
-
MD5
1c48729a2cfa0b985e36818822858436
-
SHA1
19d51e298f43c00af96861f1f6ffaf39132a187d
-
SHA256
f2e73ee6ab0ad79e0cd537bd856d9e694851912283bca7fb73eb3fc335528353
-
SHA512
538c1ddd8be6c91f99f5579589877031a89f64743678d3f1f6d3a2b10ff861f76768ff7d8bc7d4d2c7826ab820d2c4ff254eacb60a76fdf7c1af43c9bf72d424
Malware Config
Extracted
Family
zloader
Botnet
miguel
Campaign
17/04
C2
https://lgepubbf.icu/wp-config.php
https://ajvwdjtebb.pw/wp-config.php
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 916 set thread context of 1180 916 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1180 msiexec.exe Token: SeSecurityPrivilege 1180 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1992 wrote to memory of 916 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 916 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 916 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 916 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 916 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 916 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 916 1992 rundll32.exe rundll32.exe PID 916 wrote to memory of 1180 916 rundll32.exe msiexec.exe PID 916 wrote to memory of 1180 916 rundll32.exe msiexec.exe PID 916 wrote to memory of 1180 916 rundll32.exe msiexec.exe PID 916 wrote to memory of 1180 916 rundll32.exe msiexec.exe PID 916 wrote to memory of 1180 916 rundll32.exe msiexec.exe PID 916 wrote to memory of 1180 916 rundll32.exe msiexec.exe PID 916 wrote to memory of 1180 916 rundll32.exe msiexec.exe PID 916 wrote to memory of 1180 916 rundll32.exe msiexec.exe PID 916 wrote to memory of 1180 916 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Exampleth.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Exampleth.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/916-0-0x0000000000000000-mapping.dmp
-
memory/1180-1-0x0000000000090000-0x00000000000C4000-memory.dmpFilesize
208KB
-
memory/1180-2-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1180-3-0x0000000000090000-0x00000000000C4000-memory.dmpFilesize
208KB
-
memory/1180-4-0x0000000000000000-mapping.dmp
-
memory/1936-5-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB