Analysis
-
max time kernel
79s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-11-2020 06:51
Behavioral task
behavioral1
Sample
cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll
Resource
win7v20201028
General
-
Target
cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll
-
Size
183KB
-
MD5
d21ed162fd0252e22f31cf7a9cae5540
-
SHA1
abe719477bf2f69765f401b400759cb71117bff7
-
SHA256
cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8
-
SHA512
8751aa81aa6d53ae9e2fc0424d957a39a365ccba0680e18f0702eab26e48e317a0ca35d61f49197f59c24cc00893d91e06e34568fb5454f80b9c94dd3bc10a68
Malware Config
Extracted
zloader
07/04
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
Signatures
-
Suspicious use of SetThreadContext ⋅ 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2016 set thread context of 608 2016 regsvr32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken ⋅ 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 608 msiexec.exe Token: SeSecurityPrivilege 608 msiexec.exe -
Suspicious use of WriteProcessMemory ⋅ 16 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1732 wrote to memory of 2016 1732 regsvr32.exe regsvr32.exe PID 1732 wrote to memory of 2016 1732 regsvr32.exe regsvr32.exe PID 1732 wrote to memory of 2016 1732 regsvr32.exe regsvr32.exe PID 1732 wrote to memory of 2016 1732 regsvr32.exe regsvr32.exe PID 1732 wrote to memory of 2016 1732 regsvr32.exe regsvr32.exe PID 1732 wrote to memory of 2016 1732 regsvr32.exe regsvr32.exe PID 1732 wrote to memory of 2016 1732 regsvr32.exe regsvr32.exe PID 2016 wrote to memory of 608 2016 regsvr32.exe msiexec.exe PID 2016 wrote to memory of 608 2016 regsvr32.exe msiexec.exe PID 2016 wrote to memory of 608 2016 regsvr32.exe msiexec.exe PID 2016 wrote to memory of 608 2016 regsvr32.exe msiexec.exe PID 2016 wrote to memory of 608 2016 regsvr32.exe msiexec.exe PID 2016 wrote to memory of 608 2016 regsvr32.exe msiexec.exe PID 2016 wrote to memory of 608 2016 regsvr32.exe msiexec.exe PID 2016 wrote to memory of 608 2016 regsvr32.exe msiexec.exe PID 2016 wrote to memory of 608 2016 regsvr32.exe msiexec.exe
Processes
-
C:\Windows\system32\regsvr32.exePID:1732regsvr32 /s C:\Users\Admin\AppData\Local\Temp\cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dllSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exePID:2016/s C:\Users\Admin\AppData\Local\Temp\cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dllSuspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exePID:608msiexec.exeSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
memory/608-2-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/608-1-0x0000000000090000-0x00000000000C3000-memory.dmpFilesize
204KB
-
memory/608-3-0x0000000000090000-0x00000000000C3000-memory.dmpFilesize
204KB
-
memory/608-4-0x0000000000000000-mapping.dmp
-
memory/2016-0-0x0000000000000000-mapping.dmp