Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:34
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
-
Size
486KB
-
MD5
cde56cf0169830ee0059ee385c0c5eaf
-
SHA1
08aacb48ffcdc6b49af18d01155982984de230f7
-
SHA256
cb762227729d0faadc4c33a4a55b513673a9c76284773535b0e07d7e47d8413e
-
SHA512
234ddd4191c1abdfe04d9cc1afe2fed2901ef4d38404d0568a356218bc62096d200dd8ec28c8980da4a5852b0a481bf698b244f51d13560b303285b99105b3dd
Malware Config
Extracted
Family
zloader
Botnet
05/05
Campaign
https://rswtgmhf.pw/wp-config.php
C2
https://fwgdhdln.icu/wp-config.php
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1308 set thread context of 1704 1308 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1704 msiexec.exe Token: SeSecurityPrivilege 1704 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1960 wrote to memory of 1308 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1308 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1308 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1308 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1308 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1308 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1308 1960 rundll32.exe rundll32.exe PID 1308 wrote to memory of 1704 1308 rundll32.exe msiexec.exe PID 1308 wrote to memory of 1704 1308 rundll32.exe msiexec.exe PID 1308 wrote to memory of 1704 1308 rundll32.exe msiexec.exe PID 1308 wrote to memory of 1704 1308 rundll32.exe msiexec.exe PID 1308 wrote to memory of 1704 1308 rundll32.exe msiexec.exe PID 1308 wrote to memory of 1704 1308 rundll32.exe msiexec.exe PID 1308 wrote to memory of 1704 1308 rundll32.exe msiexec.exe PID 1308 wrote to memory of 1704 1308 rundll32.exe msiexec.exe PID 1308 wrote to memory of 1704 1308 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1308-0-0x0000000000000000-mapping.dmp
-
memory/1704-1-0x0000000000090000-0x00000000000C3000-memory.dmpFilesize
204KB
-
memory/1704-2-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1704-3-0x0000000000090000-0x00000000000C3000-memory.dmpFilesize
204KB
-
memory/1704-4-0x0000000000000000-mapping.dmp