Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:16
Static task
static1
Behavioral task
behavioral1
Sample
slk.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
slk.dll
-
Size
664KB
-
MD5
ca726cc5232ba8ea7c241db090e0b659
-
SHA1
9a68634ee3351317b44ff6a8db0adf1bcd8ee0fb
-
SHA256
207465ded4b4538b319e22188fdcfe0f42480386e77be00582192b58dcd7e0ac
-
SHA512
7157f93c91697b7f1603016843340fac170d5b56bd5fc5be7332caff9d7686f9a51a0b13d7f1394c4803fe812517f0b1f0536f6290059c8bcdebdf997b6b656b
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1272 set thread context of 876 1272 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 876 msiexec.exe Token: SeSecurityPrivilege 876 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1916 wrote to memory of 1272 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 1272 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 1272 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 1272 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 1272 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 1272 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 1272 1916 rundll32.exe rundll32.exe PID 1272 wrote to memory of 876 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 876 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 876 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 876 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 876 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 876 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 876 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 876 1272 rundll32.exe msiexec.exe PID 1272 wrote to memory of 876 1272 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\slk.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\slk.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/876-1-0x0000000000090000-0x00000000000C7000-memory.dmpFilesize
220KB
-
memory/876-2-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/876-3-0x0000000000090000-0x00000000000C7000-memory.dmpFilesize
220KB
-
memory/876-4-0x0000000000000000-mapping.dmp
-
memory/1004-5-0x000007FEF7D20000-0x000007FEF7F9A000-memory.dmpFilesize
2.5MB
-
memory/1272-0-0x0000000000000000-mapping.dmp