Analysis
-
max time kernel
150s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 10:59
Static task
static1
Behavioral task
behavioral1
Sample
080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a.dll
Resource
win10v2004-en-20220113
General
-
Target
080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a.dll
-
Size
225KB
-
MD5
c0a3c069a94b35620fc210e4b68b4f01
-
SHA1
e8b3ec66c28dedaa18b968bcd267a2c912a92e87
-
SHA256
080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a
-
SHA512
5bd77b40aaf46cb96c94562585b5bb0fb86e9a80d842c8e36e3c032c0d7c55cecf3aca9168df49bcc43039ccebc12a81af6dd1748962a0ae42d10c28bd6448f6
Malware Config
Extracted
zloader
main
2020-06-15
https://matarlod.org/web/data
https://datearoc.org/web/data
https://rechnecy.org/web/data
https://ramissal.org/web/data
https://raidesci.org/web/data
https://glartrot.org/web/data
https://revenapo.org/web/data
https://brenonip.org/web/data
-
build_id
7
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 752 set thread context of 1752 752 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1752 msiexec.exe Token: SeSecurityPrivilege 1752 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 944 wrote to memory of 752 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 752 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 752 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 752 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 752 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 752 944 rundll32.exe rundll32.exe PID 944 wrote to memory of 752 944 rundll32.exe rundll32.exe PID 752 wrote to memory of 1752 752 rundll32.exe msiexec.exe PID 752 wrote to memory of 1752 752 rundll32.exe msiexec.exe PID 752 wrote to memory of 1752 752 rundll32.exe msiexec.exe PID 752 wrote to memory of 1752 752 rundll32.exe msiexec.exe PID 752 wrote to memory of 1752 752 rundll32.exe msiexec.exe PID 752 wrote to memory of 1752 752 rundll32.exe msiexec.exe PID 752 wrote to memory of 1752 752 rundll32.exe msiexec.exe PID 752 wrote to memory of 1752 752 rundll32.exe msiexec.exe PID 752 wrote to memory of 1752 752 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\080d85b4fb230f61157fdde662290742adbd105888a575cdc692c3938376e48a.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/752-54-0x0000000075431000-0x0000000075433000-memory.dmpFilesize
8KB
-
memory/752-55-0x0000000000110000-0x000000000013A000-memory.dmpFilesize
168KB
-
memory/752-56-0x0000000000300000-0x000000000032C000-memory.dmpFilesize
176KB
-
memory/1752-57-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1752-58-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1752-59-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1752-61-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB