Analysis
-
max time kernel
68s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 03:30
General
-
Target
cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll
-
Size
183KB
-
MD5
d21ed162fd0252e22f31cf7a9cae5540
-
SHA1
abe719477bf2f69765f401b400759cb71117bff7
-
SHA256
cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8
-
SHA512
8751aa81aa6d53ae9e2fc0424d957a39a365ccba0680e18f0702eab26e48e317a0ca35d61f49197f59c24cc00893d91e06e34568fb5454f80b9c94dd3bc10a68
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
07/04
C2
https://xyajbocpggsr.site/wp-config.php
https://ooygvpxrb.pw/wp-config.php
rc4.plain
Signatures
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\cf8e50db2ca682dbc80110f394aa4bbd7b59a60ac6e981dcaab607d09b7f01e8.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/912-2-0x000007FEFC0A1000-0x000007FEFC0A3000-memory.dmpFilesize
8KB
-
memory/1236-5-0x0000000000000000-mapping.dmp
-
memory/2012-3-0x0000000000000000-mapping.dmp
-
memory/2012-4-0x0000000076381000-0x0000000076383000-memory.dmpFilesize
8KB