Analysis
-
max time kernel
84s -
max time network
90s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 01:09
General
-
Target
d294955e1962a7342f6706facfbc735b8d84e94bf1de9ed0d7aa87bfc838f1f8.dll
-
Size
192KB
-
MD5
973392c2fd7228262e52becf3bfe2051
-
SHA1
d309f4073f2a3244e71013996b8ea8e6fcc7b16f
-
SHA256
d294955e1962a7342f6706facfbc735b8d84e94bf1de9ed0d7aa87bfc838f1f8
-
SHA512
58bbbbac404e2aa70c7c3dd65c3cf7356387a6632874b3e3ba896f0c18396dc3db1232d13fd2456e3ec4c138b4a2e90b45e2c6964d9b177415e2068f5d340ff7
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
10/03
C2
https://dhteijwrb.host/milagrecf.php
https://aquolepp.pw/milagrecf.php
rc4.plain
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d294955e1962a7342f6706facfbc735b8d84e94bf1de9ed0d7aa87bfc838f1f8.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\d294955e1962a7342f6706facfbc735b8d84e94bf1de9ed0d7aa87bfc838f1f8.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1764-2-0x0000000000000000-mapping.dmp
-
memory/2260-3-0x0000000000000000-mapping.dmp
-
memory/2260-4-0x00000000005C0000-0x00000000005F0000-memory.dmpFilesize
192KB