Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-03-2021 05:53
Static task
static1
Behavioral task
behavioral1
Sample
rVuj5bF.bin.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
rVuj5bF.bin.dll
-
Size
403KB
-
MD5
4e9d3907d80cfe903df735b855d5eaeb
-
SHA1
3fcc74d0b646e8324f0a4cf4708890a8261f3e84
-
SHA256
280fedf6fd7e0964222ac9b21bcc289c222c7ea91d7bad6350741bdf8c1f0938
-
SHA512
672b8b0dd776ff156504e55c171fe035e5aac7b1b48ae785973113648717317eb611acbcc6141c5ab6c0096c4f41c24c335d957afbca1fddcf15dfde9750361f
Malware Config
Extracted
Family
zloader
Botnet
minik
Campaign
18/06
C2
https://neomithirdseman.tk/wp-parsing.php
https://fernmasucsavidi.cf/wp-parsing.php
https://wireborg.com/wp-parsing.php
https://secretele-naturii.xyz/wp-parsing.php
https://legendcoder.com/wp-parsing.php
rc4.plain
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 9 IoCs
Processes:
msiexec.exeflow pid process 8 1552 msiexec.exe 9 1552 msiexec.exe 10 1552 msiexec.exe 11 1552 msiexec.exe 12 1552 msiexec.exe 13 1552 msiexec.exe 15 1552 msiexec.exe 16 1552 msiexec.exe 17 1552 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1808 set thread context of 1552 1808 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1552 msiexec.exe Token: SeSecurityPrivilege 1552 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 384 wrote to memory of 1808 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1808 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1808 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1808 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1808 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1808 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1808 384 rundll32.exe rundll32.exe PID 1808 wrote to memory of 1552 1808 rundll32.exe msiexec.exe PID 1808 wrote to memory of 1552 1808 rundll32.exe msiexec.exe PID 1808 wrote to memory of 1552 1808 rundll32.exe msiexec.exe PID 1808 wrote to memory of 1552 1808 rundll32.exe msiexec.exe PID 1808 wrote to memory of 1552 1808 rundll32.exe msiexec.exe PID 1808 wrote to memory of 1552 1808 rundll32.exe msiexec.exe PID 1808 wrote to memory of 1552 1808 rundll32.exe msiexec.exe PID 1808 wrote to memory of 1552 1808 rundll32.exe msiexec.exe PID 1808 wrote to memory of 1552 1808 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rVuj5bF.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rVuj5bF.bin.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-9-0x000007FEF7300000-0x000007FEF757A000-memory.dmpFilesize
2.5MB
-
memory/1552-6-0x0000000000000000-mapping.dmp
-
memory/1552-8-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1808-2-0x0000000000000000-mapping.dmp
-
memory/1808-3-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1808-4-0x0000000072880000-0x00000000728AB000-memory.dmpFilesize
172KB
-
memory/1808-5-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB