Analysis
-
max time kernel
114s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 13:28
General
-
Target
mHMUKpx.dll
-
Size
706KB
-
MD5
051fc424638f35d333e95a0601cfd336
-
SHA1
3acbcb36bad30f486b03897ef4fd321dbfe40d40
-
SHA256
3a659be16afd89a3f8ba12745b545bc0bb4ddf747078b37186af00e7e332fbb2
-
SHA512
ed6276b62b3cad463b36861c75624d59ae15964959a07e39afeff1367f22afadfe1d8f72d2f01f8db73dd98da00a4bfc18938e78c48394440ea6ad9a0a095337
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
bot5
Campaign
bot5
C2
https://militanttra.at/owg.php
rc4.plain
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\mHMUKpx.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\mHMUKpx.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3176-5-0x0000000000000000-mapping.dmp
-
memory/3176-6-0x0000000000A70000-0x0000000000AA7000-memory.dmpFilesize
220KB
-
memory/4756-2-0x0000000000000000-mapping.dmp
-
memory/4756-3-0x0000000073BB0000-0x0000000073BE7000-memory.dmpFilesize
220KB
-
memory/4756-4-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB