Analysis
-
max time kernel
109s -
max time network
21s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da.dll
-
Size
561KB
-
MD5
17fed343bada88dfbfd827cc684f5d5f
-
SHA1
447dbb81663cb057352ddbb4770c08ed80827c0c
-
SHA256
55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da
-
SHA512
d945c600b529c6308c5cba950d18ea63ff349c5f21b15151214578a6eb7bc34f1bd703c418e369ba5d2a08fd9e38d1abb67f74ea3cf15fec5b5b1553276f0e55
Malware Config
Extracted
Family
zloader
Botnet
08/04
C2
https://kuaxbdkvbbmivbxkrrev.com/wp-config.php
https://hwbblyyrb.pw/wp-config.php
Attributes
-
build_id
134
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2032 set thread context of 1748 2032 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1748 msiexec.exe Token: SeSecurityPrivilege 1748 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1748 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1748 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1748 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1748 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1748 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1748 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1748 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1748 2032 rundll32.exe msiexec.exe PID 2032 wrote to memory of 1748 2032 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55e122310b7893eb83b7b2e6077413fb60816ba0e4dee01f7f249b3a2f64a2da.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1748-59-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1748-58-0x0000000000110000-0x0000000000143000-memory.dmpFilesize
204KB
-
memory/1748-60-0x0000000000110000-0x0000000000143000-memory.dmpFilesize
204KB
-
memory/1748-62-0x0000000000110000-0x0000000000143000-memory.dmpFilesize
204KB
-
memory/2032-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/2032-56-0x00000000745E0000-0x000000007468C000-memory.dmpFilesize
688KB
-
memory/2032-55-0x00000000745E0000-0x0000000074613000-memory.dmpFilesize
204KB
-
memory/2032-57-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB