Analysis
-
max time kernel
94s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 12:41
Static task
static1
Behavioral task
behavioral1
Sample
2.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
2.dll
-
Size
797KB
-
MD5
3188d2f01ddf123f02b626c390886f66
-
SHA1
f342f7b0b49526047ef80e8fa916ea4c7afefacd
-
SHA256
7d5ef8e6c5738ebc13718eee67f0b6cc354f3e28b135e4a378f69d57043299b8
-
SHA512
ebcb8ccf28c76eee2ee683259af0c05088a2e0b862da35707037c2eb4c28b4c70cc7ae31e377893978a9c2f28a0fa6a3e738d9ba8700857b3f7184592be5d7b3
Malware Config
Extracted
Family
zloader
Botnet
12/05
C2
https://japanjisho.info/wp-parser.php
https://home.comegico.com.mx/wp-parser.php
https://hormonas.comegico.com.mx/wp-parser.php
https://hopime.com/wp-parser.php
https://gavrelets.ru/wp-parser.php
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1092 set thread context of 1308 1092 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1308 msiexec.exe Token: SeSecurityPrivilege 1308 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1724 wrote to memory of 1092 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1092 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1092 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1092 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1092 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1092 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1092 1724 rundll32.exe rundll32.exe PID 1092 wrote to memory of 1308 1092 rundll32.exe msiexec.exe PID 1092 wrote to memory of 1308 1092 rundll32.exe msiexec.exe PID 1092 wrote to memory of 1308 1092 rundll32.exe msiexec.exe PID 1092 wrote to memory of 1308 1092 rundll32.exe msiexec.exe PID 1092 wrote to memory of 1308 1092 rundll32.exe msiexec.exe PID 1092 wrote to memory of 1308 1092 rundll32.exe msiexec.exe PID 1092 wrote to memory of 1308 1092 rundll32.exe msiexec.exe PID 1092 wrote to memory of 1308 1092 rundll32.exe msiexec.exe PID 1092 wrote to memory of 1308 1092 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1092-2-0x0000000000000000-mapping.dmp
-
memory/1092-3-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1092-4-0x0000000072220000-0x0000000072255000-memory.dmpFilesize
212KB
-
memory/1092-5-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1308-6-0x0000000000000000-mapping.dmp
-
memory/1308-8-0x00000000000D0000-0x0000000000105000-memory.dmpFilesize
212KB