Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
66s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04/10/2021, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
tmp.dll
Resource
win7-en-20210920
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tmp.dll
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
tmp.dll
-
Size
444KB
-
MD5
c6b350b0d6f8dc37c144f76a57c9dbe7
-
SHA1
e637d8a29d46281a5fa97d84af1dfe1d72223157
-
SHA256
6348bded936831629494c1d820fe8e3dbe3fb4d9f96940bbb4ca0c1872bef0ad
-
SHA512
5220ff154b731a8a1d1e768552fee037cacb12412eff931384c105d4caa5483da64c11b4839ab44885214d4d8831b280687b54b2438f89a230fce68bf7692dff
Score
10/10
Malware Config
Extracted
Family
zloader
Botnet
26/03
C2
https://vfgthujbxd.xyz/milagrecf.php
https://todiks.xyz/milagrecf.php
rc4.plain
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anhudao = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Ufalat\\ociko.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1000 set thread context of 3420 1000 rundll32.exe 76 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 3420 msiexec.exe Token: SeSecurityPrivilege 3420 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 904 wrote to memory of 1000 904 rundll32.exe 68 PID 904 wrote to memory of 1000 904 rundll32.exe 68 PID 904 wrote to memory of 1000 904 rundll32.exe 68 PID 1000 wrote to memory of 3420 1000 rundll32.exe 76 PID 1000 wrote to memory of 3420 1000 rundll32.exe 76 PID 1000 wrote to memory of 3420 1000 rundll32.exe 76 PID 1000 wrote to memory of 3420 1000 rundll32.exe 76 PID 1000 wrote to memory of 3420 1000 rundll32.exe 76
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\tmp.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
-