Analysis
-
max time kernel
56s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-03-2021 11:49
Static task
static1
Behavioral task
behavioral1
Sample
microsoft_shared.tmp.dll
Resource
win7v20201028
General
-
Target
microsoft_shared.tmp.dll
-
Size
470KB
-
MD5
5ab3e07ce737bb6b3d4e025fc13096fa
-
SHA1
850d397ca30d1ca42f8c225b00ab003ae6a5cb3e
-
SHA256
de47a37cb8c666a36b7e9315bfebf0996c0c92747a2f4029b4fafb2ba9f2b275
-
SHA512
0b4e1f846733d52f074a92e042de26a7606227aaf7c204ddd29d4e42fb789b622c6fcd95f946f2f7ec3c5bba495b5e244474916533eb3a41e8d9289f86034006
Malware Config
Extracted
zloader
personal
personal
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1924 wrote to memory of 1760 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1760 1924 regsvr32.exe regsvr32.exe PID 1924 wrote to memory of 1760 1924 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\microsoft_shared.tmp.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\microsoft_shared.tmp.dll2⤵PID:1760
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵PID:2724
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1760-2-0x0000000000000000-mapping.dmp
-
memory/1760-3-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/1760-4-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/2724-5-0x0000000000000000-mapping.dmp
-
memory/2724-6-0x0000000000B70000-0x0000000000B96000-memory.dmpFilesize
152KB