Analysis
-
max time kernel
137s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 18:39
Static task
static1
Behavioral task
behavioral1
Sample
19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4.dll
-
Size
634KB
-
MD5
c7492b61b4138459b9d45b085f3c79c0
-
SHA1
39b0ab8064f4e0d2e06775a8ef5dbc6a279db88f
-
SHA256
19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4
-
SHA512
7b22e4b582ed6ff974862caed5b90cb49437e793fd10b7fcff798edb645e5b5b0dee8690e7ba5c6e7526e9e51259037ec8489d26e1b03c7639780ad27da676ed
Malware Config
Extracted
Family
zloader
Botnet
miguel
Campaign
08/04
C2
https://kuaxbdkvbbmivbxkrrev.com/wp-config.php
https://hwbblyyrb.pw/wp-config.php
Attributes
-
build_id
135
rc4.plain
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1432 set thread context of 1500 1432 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1500 msiexec.exe Token: SeSecurityPrivilege 1500 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1500 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 1500 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 1500 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 1500 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 1500 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 1500 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 1500 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 1500 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 1500 1432 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19f90b17a6bcf1c80551ae576d0949d51df8b8e26437a3a8aa6d5d4d344440c4.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1432-53-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/1432-55-0x0000000075280000-0x000000007533C000-memory.dmpFilesize
752KB
-
memory/1432-56-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1432-54-0x0000000075280000-0x00000000752B3000-memory.dmpFilesize
204KB
-
memory/1500-58-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1500-57-0x00000000000B0000-0x00000000000E3000-memory.dmpFilesize
204KB
-
memory/1500-59-0x00000000000B0000-0x00000000000E3000-memory.dmpFilesize
204KB
-
memory/1500-61-0x00000000000B0000-0x00000000000E3000-memory.dmpFilesize
204KB