Analysis
-
max time kernel
133s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 19:46
Static task
static1
Behavioral task
behavioral1
Sample
096dda9c010522a17fbdbfda2caa8b3a3d88aecafd0287df082f2ca30fcc0e8a.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
096dda9c010522a17fbdbfda2caa8b3a3d88aecafd0287df082f2ca30fcc0e8a.dll
Resource
win10v2004-en-20220113
General
-
Target
096dda9c010522a17fbdbfda2caa8b3a3d88aecafd0287df082f2ca30fcc0e8a.dll
-
Size
561KB
-
MD5
e4e774e20da79849080fdf2496d99b74
-
SHA1
82dd2256410720084bdddd8b53c910149861f644
-
SHA256
096dda9c010522a17fbdbfda2caa8b3a3d88aecafd0287df082f2ca30fcc0e8a
-
SHA512
3697288d7ecddca6629e53fb88af0e8f147bd67b7385de588da3ecbf0b1cbc7cecabb2e1614c36a042d6b123551e2cd15646dfdca257aabebcb8788c768459c3
Malware Config
Extracted
zloader
08/04
https://kuaxbdkvbbmivbxkrrev.com/wp-config.php
https://hwbblyyrb.pw/wp-config.php
-
build_id
134
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1432 set thread context of 524 1432 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 524 msiexec.exe Token: SeSecurityPrivilege 524 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1424 wrote to memory of 1432 1424 rundll32.exe rundll32.exe PID 1432 wrote to memory of 524 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 524 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 524 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 524 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 524 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 524 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 524 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 524 1432 rundll32.exe msiexec.exe PID 1432 wrote to memory of 524 1432 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\096dda9c010522a17fbdbfda2caa8b3a3d88aecafd0287df082f2ca30fcc0e8a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\096dda9c010522a17fbdbfda2caa8b3a3d88aecafd0287df082f2ca30fcc0e8a.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/524-59-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/524-58-0x0000000000110000-0x0000000000143000-memory.dmpFilesize
204KB
-
memory/524-60-0x0000000000110000-0x0000000000143000-memory.dmpFilesize
204KB
-
memory/524-62-0x0000000000110000-0x0000000000143000-memory.dmpFilesize
204KB
-
memory/1432-54-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/1432-56-0x0000000075440000-0x00000000754EC000-memory.dmpFilesize
688KB
-
memory/1432-55-0x0000000075440000-0x0000000075473000-memory.dmpFilesize
204KB
-
memory/1432-57-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB